Overview

overview

10

Static

static

BL Draft Copy.exe

windows7-x64

10

BL Draft Copy.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BL Draft Copy.exe

  • Size

    863KB

  • Sample

    230105-hfr2aaee9y

  • MD5

    5f76ec4261e9ee6104cadf963e1fdefe

  • SHA1

    4bd2b0895e37e92d70f5ae463aafbc7e912cb07a

  • SHA256

    41ec6096bbedc3527a97d8a427988cd2885bb23eebefbe17c563a1e5aff52586

  • SHA512

    15770c50185e4594f64a2cc16b641093a347845ce68d701b65d3981967ba3f4a797656bcc7d4382d17d358be61dbe53833dfd1e8680af7195768c8e4479324a7

  • SSDEEP

    24576:76AnFoJiY3TZ5ae0lVw+BBUWxn48qKoe:7dFW8e0ggBUg9qKoe

Score
10/10
snakekeyloggercollectionkeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    kiamotors-khyber.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Bno-MD&$40Kjy(Yd

Targets

    • Target

      BL Draft Copy.exe

    • Size

      863KB

    • MD5

      5f76ec4261e9ee6104cadf963e1fdefe

    • SHA1

      4bd2b0895e37e92d70f5ae463aafbc7e912cb07a

    • SHA256

      41ec6096bbedc3527a97d8a427988cd2885bb23eebefbe17c563a1e5aff52586

    • SHA512

      15770c50185e4594f64a2cc16b641093a347845ce68d701b65d3981967ba3f4a797656bcc7d4382d17d358be61dbe53833dfd1e8680af7195768c8e4479324a7

    • SSDEEP

      24576:76AnFoJiY3TZ5ae0lVw+BBUWxn48qKoe:7dFW8e0ggBUg9qKoe

    Score
    10/10
    snakekeyloggercollectionkeyloggerpersistencespywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks