General
-
Target
0d36bb32b9e6664fc3090b506f55cdf9.exe
-
Size
400KB
-
Sample
221002-hmgtwscfc9
-
MD5
0d36bb32b9e6664fc3090b506f55cdf9
-
SHA1
e46dc1f96a59e75966be8e1011f53b3b6043f364
-
SHA256
d88c101a1c0570712c1c182ba9c7f501bba00f98cb9d083286b339283b9008e2
-
SHA512
8eb5b97c1d8838fff7f6c75b2e9cb183d7c2312ebab7942249ab35b8f95d88e656fce7ee20918aafa7c82db7f9dfdf355425d8a7254b081c2a31dd85c48eecf7
-
SSDEEP
6144:UvEN2U+T6i5LirrllHy4HUcMQY6TL2yP2bCRYgbw:GENN+T5xYrllrU7QY6TL2jKw
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5476629412:AAGbkcFsGq72YxKoGZjVmRBskss9nHikjMc/sendMessage?chat_id=5594190904
Targets
-
-
Target
0d36bb32b9e6664fc3090b506f55cdf9.exe
-
Size
400KB
-
MD5
0d36bb32b9e6664fc3090b506f55cdf9
-
SHA1
e46dc1f96a59e75966be8e1011f53b3b6043f364
-
SHA256
d88c101a1c0570712c1c182ba9c7f501bba00f98cb9d083286b339283b9008e2
-
SHA512
8eb5b97c1d8838fff7f6c75b2e9cb183d7c2312ebab7942249ab35b8f95d88e656fce7ee20918aafa7c82db7f9dfdf355425d8a7254b081c2a31dd85c48eecf7
-
SSDEEP
6144:UvEN2U+T6i5LirrllHy4HUcMQY6TL2yP2bCRYgbw:GENN+T5xYrllrU7QY6TL2jKw
Score10/10-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-