General
-
Target
MV ASPL TBN.exe
-
Size
166KB
-
Sample
221123-n7fp8adg2s
-
MD5
28fa19adec2fa9a8d1e8d67310d58f0b
-
SHA1
58e964eec035d120bfdd5c8968f227fc516f8893
-
SHA256
9c0cab2fc38f52243eff7e3fa43e088d76b0a77d1253230c0d9b28c8f64f611d
-
SHA512
f61c3ce86850e2ccb50fb2555229b52f0300088294e7f419169a4d309ef0c63807e7cb12bc47fe04d78e7b1b2fb71952c08483c17119d439138d17695435226d
-
SSDEEP
384:eHHVieHKQN6dmOSACCB0W77EldnvGNDj:eHH5N64OSACCBSdnvGNn
Malware Config
Targets
-
-
Target
MV ASPL TBN.exe
-
Size
166KB
-
MD5
28fa19adec2fa9a8d1e8d67310d58f0b
-
SHA1
58e964eec035d120bfdd5c8968f227fc516f8893
-
SHA256
9c0cab2fc38f52243eff7e3fa43e088d76b0a77d1253230c0d9b28c8f64f611d
-
SHA512
f61c3ce86850e2ccb50fb2555229b52f0300088294e7f419169a4d309ef0c63807e7cb12bc47fe04d78e7b1b2fb71952c08483c17119d439138d17695435226d
-
SSDEEP
384:eHHVieHKQN6dmOSACCB0W77EldnvGNDj:eHH5N64OSACCBSdnvGNn
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-