snakekeylogger | 646ff740a579fad8c98875763bc0fc06335a88b922cdfd25b71b7e12cc0460f8 | Triage

Sharing

General

Target

SCANCOPY3892783-PDF.exe
Size

1.2MB
Sample

211206-g928nsgcb2
MD5

dd373ae45da1d4f797f38e2e356d329f
SHA1

38efe558e2c1e721543f07e84bc8e0445b96d633
SHA256

646ff740a579fad8c98875763bc0fc06335a88b922cdfd25b71b7e12cc0460f8
SHA512

1cbe3ff1512d2de91adb330efaa65a4e00aba4c2edb83e8a9a9346c6068b6f6153f268bac6c50905cbcb76bc2e10fae5c573ae646c4c3849f68fe007e24b8a7a

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.alroman.com
Port:
587
Username:
customercare@alroman.com
Password:
abc@24638

Targets

- Target
  
  SCANCOPY3892783-PDF.exe
- Size
  
  1.2MB
- MD5
  
  dd373ae45da1d4f797f38e2e356d329f
- SHA1
  
  38efe558e2c1e721543f07e84bc8e0445b96d633
- SHA256
  
  646ff740a579fad8c98875763bc0fc06335a88b922cdfd25b71b7e12cc0460f8
- SHA512
  
  1cbe3ff1512d2de91adb330efaa65a4e00aba4c2edb83e8a9a9346c6068b6f6153f268bac6c50905cbcb76bc2e10fae5c573ae646c4c3849f68fe007e24b8a7a
Score

10^/10

snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggercollectionkeyloggerstealer

behavioral2

snakekeyloggercollectionkeyloggerstealer