General

  • Target

    303a311868f65121392b851d610054b544181e14d697b1151ef0f490e3a8dbd0

  • Size

    564KB

  • Sample

    220705-c6lz3afbg4

  • MD5

    e99a568ef082bfca5af20fbb88d61e02

  • SHA1

    ccdfbafcd141e00bcaa748827142daabdd5729e5

  • SHA256

    303a311868f65121392b851d610054b544181e14d697b1151ef0f490e3a8dbd0

  • SHA512

    f0081d4e744084dd09401e734955ba402ba0a9046274348978828ea4aa3be724c5dcca432590a7d2c3fa3654bbced6576812a2a5785dfc59ff7421943aa8934d

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    arinzelog@valete.buzz
  • Password:
    7213575aceACE@#$
  • Email To:
    arinze@valete.buzz
C2

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Targets

    • Target

      303a311868f65121392b851d610054b544181e14d697b1151ef0f490e3a8dbd0

    • Size

      564KB

    • MD5

      e99a568ef082bfca5af20fbb88d61e02

    • SHA1

      ccdfbafcd141e00bcaa748827142daabdd5729e5

    • SHA256

      303a311868f65121392b851d610054b544181e14d697b1151ef0f490e3a8dbd0

    • SHA512

      f0081d4e744084dd09401e734955ba402ba0a9046274348978828ea4aa3be724c5dcca432590a7d2c3fa3654bbced6576812a2a5785dfc59ff7421943aa8934d

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks