General

  • Target

    3ca281f64c837dc8bbee64ae5936d802aeb5899d900efc3265e3a57b3bd2b3f1

  • Size

    439KB

  • Sample

    221125-wsdajsdh42

  • MD5

    a238165c51a808dcc9104688cae91300

  • SHA1

    b9dfd9abf3e2ed1b302fa56b5733989af5951642

  • SHA256

    dbd498ba00f08d2a49da541c124f1d99dae6e4ba7214a87f748c2ead4b814b3b

  • SHA512

    b0138c16a9ce8449afa410fc592ab0747f62cd4b9e042435272914be47499344d6caabb019c6ac6f3ac48c8ab72190fd546a9ae2d8f2ce3060d2e9ed58aebdea

  • SSDEEP

    12288:V5c8Kr/JYLzWssoFCRwr1IXe8gIwtlK/qbYXmX:V5+YLOnOr1qPyYS

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      3ca281f64c837dc8bbee64ae5936d802aeb5899d900efc3265e3a57b3bd2b3f1

    • Size

      597KB

    • MD5

      3bdfb659d6251a7f901ba781d0a9462b

    • SHA1

      b25c6a4dc617b2bdc04cdcc64cbb1cce8f4ca8f7

    • SHA256

      3ca281f64c837dc8bbee64ae5936d802aeb5899d900efc3265e3a57b3bd2b3f1

    • SHA512

      e33c49c7b07c5410f30b631f572ad46859cd0bc5a5327eeab0ece99ad6946adfe659946b009f34e3a62c9d12a291bf447f835071af73b766bc768124286c964e

    • SSDEEP

      12288:krmIZxD7RP5CJQ/Pjass2FsREr10XecgIwnlK+sZPbLj:krmls6Ner12ycbL

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks