Overview

overview

10

Static

static

1

Order.009993337.exe

windows7_x64

10

Order.009993337.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order.009993337.exe

  • Size

    550KB

  • Sample

    211203-lr7snabac7

  • MD5

    d2360fe15b37eb34a479aefa87fa48e3

  • SHA1

    b812bb43a88e0f63558c646615c693347ebbbf7a

  • SHA256

    75f7a5b155426bf485770e395bac90894eee5f8d1742f774429d726f7a5156bc

  • SHA512

    669c9f76a06103ab59f1e2b4a8bccbc5005c1b82dd80279820ead3470c3cdd148081297e1b3e9c895584a52e5ff7f596735108b6272989e925c1a2fca725c9ab

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.greentrading.com.pk
  • Port:
    26
  • Username:
    info@greentrading.com.pk
  • Password:
    lovetoall

Targets

    • Target

      Order.009993337.exe

    • Size

      550KB

    • MD5

      d2360fe15b37eb34a479aefa87fa48e3

    • SHA1

      b812bb43a88e0f63558c646615c693347ebbbf7a

    • SHA256

      75f7a5b155426bf485770e395bac90894eee5f8d1742f774429d726f7a5156bc

    • SHA512

      669c9f76a06103ab59f1e2b4a8bccbc5005c1b82dd80279820ead3470c3cdd148081297e1b3e9c895584a52e5ff7f596735108b6272989e925c1a2fca725c9ab

    Score
    10/10
    snakekeyloggerkeyloggerstealercollectionspyware

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks