General

  • Target

    0d01b398c62a9309102e4ff06a8e41ca.exe

  • Size

    904KB

  • Sample

    221003-g92l5sbea2

  • MD5

    0d01b398c62a9309102e4ff06a8e41ca

  • SHA1

    9d5295874a6d5bce167fe43c02b79dde88100ad2

  • SHA256

    7a67b150e39e9a9e879083da6aba720773e8bd4b3a46729fff3a38554d27e05e

  • SHA512

    9b7713d68b73972138007987b5f5c3dfc2d95e8bc139d2b9b590d6e49c9ec6a7284f19c16d5ab6f9a236c88d0910ee4b63baa32906d2ede0cba80b803223edb0

  • SSDEEP

    12288:qBx6K4HTN4C+IXBUZBjf4UZjXPzyUwRLee3fPDzWa2tTGH+Z0OfxM:NBkBjRZrPOUo1vbsty2G

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    smadar.joseph@almalasers-il.com
  • Password:
    doDHyw%0
  • Email To:
    smadar.joseph@almalasers-il.com

Targets

    • Target

      0d01b398c62a9309102e4ff06a8e41ca.exe

    • Size

      904KB

    • MD5

      0d01b398c62a9309102e4ff06a8e41ca

    • SHA1

      9d5295874a6d5bce167fe43c02b79dde88100ad2

    • SHA256

      7a67b150e39e9a9e879083da6aba720773e8bd4b3a46729fff3a38554d27e05e

    • SHA512

      9b7713d68b73972138007987b5f5c3dfc2d95e8bc139d2b9b590d6e49c9ec6a7284f19c16d5ab6f9a236c88d0910ee4b63baa32906d2ede0cba80b803223edb0

    • SSDEEP

      12288:qBx6K4HTN4C+IXBUZBjf4UZjXPzyUwRLee3fPDzWa2tTGH+Z0OfxM:NBkBjRZrPOUo1vbsty2G

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks