General

  • Target

    payment copy.rar

  • Size

    450KB

  • Sample

    221128-n2dnnsbe65

  • MD5

    4f319aa8ee62b7a55e412579369a9f5d

  • SHA1

    32f9e22024ec2df04dc15c6c4797c0dafab0ad05

  • SHA256

    e1343230309f534e71d05bec01c79e23e701905012800ae2fd6ca1763ee7f994

  • SHA512

    d37e963c015dfc7f7a9568cf0de61cfc72f80b1199605c860ecf2c2aa227a7023fa58d7b61c4ec45f533a64b8193e4135122790a08979b14b2ac116aeff25d09

  • SSDEEP

    6144:OXX0SRd8UuktnUbKn/qh9XkQmy6AriuwgZwAGRFb2ACIR/Z9ST9GX:OXX0SfB5KEyhaNy3x+AGRF1X9ST9GX

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    viicanto@kopamarine.xyz
  • Password:
    Da8@b!Gj!#zY4K
  • Email To:
    viicanto@kopamarine.xyz

Targets

    • Target

      payment copy.exe

    • Size

      632KB

    • MD5

      9dc11bc9f45646da72f1fcd80ec3c8ef

    • SHA1

      6238eec6748e70e2685e8c2b58e9cbc7e41898ca

    • SHA256

      8ef5abf806b4399370b4c8a1ea4f0b87e995754b4594d751ba2648c55b71ad25

    • SHA512

      efd10d089aead06fe4dd841716f5348e94ce26fbf3b084a9345de28b88a79cb903a7ae7372378ed6ce6bd530eae739814df1b0d009bc2f5448168fddf50a9946

    • SSDEEP

      12288:pM9Dgh/PsZ1DX/VDJUS79oddN1hluiiahnUv+tECuLWJ:0Dgh/P7SQdDJ/hUG2Vi

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Collection

Email Collection

1
T1114

Tasks