General
-
Target
Dekont Swift Mesaji.exe
-
Size
970KB
-
Sample
211207-wdfr5abhbq
-
MD5
7dd3654a64ae8c4b4a1b34376ca00e97
-
SHA1
cf22f0375784b414f4ffd3c8044d7d9aad0c78da
-
SHA256
3f21db9d14aeead42447a3da72e51971ff0eaf006919824b02416bc0943ad551
-
SHA512
962b58e2f1ef564964f19c6500489a6ffa6dc22b67128dbf8ba1e8c64a60dbea4162be57c65f3fd93b5e8cc05857a9a212bcaa4c4730fe2b4a155083932a5f29
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.eriminsaat.com.tr - Port:
587 - Username:
ercanerol@eriminsaat.com.tr - Password:
ercan932016erim
Targets
-
-
Target
Dekont Swift Mesaji.exe
-
Size
970KB
-
MD5
7dd3654a64ae8c4b4a1b34376ca00e97
-
SHA1
cf22f0375784b414f4ffd3c8044d7d9aad0c78da
-
SHA256
3f21db9d14aeead42447a3da72e51971ff0eaf006919824b02416bc0943ad551
-
SHA512
962b58e2f1ef564964f19c6500489a6ffa6dc22b67128dbf8ba1e8c64a60dbea4162be57c65f3fd93b5e8cc05857a9a212bcaa4c4730fe2b4a155083932a5f29
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-