General

  • Target

    65ae88db2ccd8e9da11e275342dad8ed.exe

  • Size

    377KB

  • Sample

    220726-sklp6sagcr

  • MD5

    65ae88db2ccd8e9da11e275342dad8ed

  • SHA1

    fb96dca05b9a6a683fb839682ee1a6c3c0532d93

  • SHA256

    311e354dee07f9889d3efcd5dc0b87db72d8c9055827068b45051aabafc7e380

  • SHA512

    7644f50ae641499c6d61a004a215b7374b9691d69e9e3fa53bb5fa4c5c43d0edca4c6ec9147889ae2b3476d3e5d12e12acce0fc45d848d80a3dacfa0ca43957b

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      65ae88db2ccd8e9da11e275342dad8ed.exe

    • Size

      377KB

    • MD5

      65ae88db2ccd8e9da11e275342dad8ed

    • SHA1

      fb96dca05b9a6a683fb839682ee1a6c3c0532d93

    • SHA256

      311e354dee07f9889d3efcd5dc0b87db72d8c9055827068b45051aabafc7e380

    • SHA512

      7644f50ae641499c6d61a004a215b7374b9691d69e9e3fa53bb5fa4c5c43d0edca4c6ec9147889ae2b3476d3e5d12e12acce0fc45d848d80a3dacfa0ca43957b

    • Detect PureCrypter loader

    • PureCrypter

      PureCrypter is a loader which is intended for downloading and executing additional payloads.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks