General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.7409.6325

  • Size

    892KB

  • Sample

    221129-e5yctaee37

  • MD5

    53419448f3747f2d4748764033bd3928

  • SHA1

    b09dc87e713d166416d7eeed5881de734a8c2167

  • SHA256

    84c53b0151ffcb22f8c50057daf61f41f6eb39381f41ca4db908fb93170382db

  • SHA512

    dcee8d2a4d3a9ab33073e71dd997fc5e9ee581bd6d5427395670452692cae6e33d8ed9f1d5a0043f0c7aa9f0a30e3d5505899f1c1a5809b9990fbea357fde0b8

  • SSDEEP

    24576:+Tb8JM6PoXJFdnm9fJPrzokrj7OCx/e8Cg7RUa5Z:7a7JFdnOjzokX1XRUyZ

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      SecuriteInfo.com.Win32.PWSX-gen.7409.6325

    • Size

      892KB

    • MD5

      53419448f3747f2d4748764033bd3928

    • SHA1

      b09dc87e713d166416d7eeed5881de734a8c2167

    • SHA256

      84c53b0151ffcb22f8c50057daf61f41f6eb39381f41ca4db908fb93170382db

    • SHA512

      dcee8d2a4d3a9ab33073e71dd997fc5e9ee581bd6d5427395670452692cae6e33d8ed9f1d5a0043f0c7aa9f0a30e3d5505899f1c1a5809b9990fbea357fde0b8

    • SSDEEP

      24576:+Tb8JM6PoXJFdnm9fJPrzokrj7OCx/e8Cg7RUa5Z:7a7JFdnOjzokX1XRUyZ

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks