General

  • Target

    9cef746651b3dc0dc351663360dc8b614e4bd4d82b44ed13a212e988d2f3c072

  • Size

    820KB

  • Sample

    230125-man5nahd2y

  • MD5

    5344e37c86b3d841a58be30d101b9172

  • SHA1

    bd05b90d215555d814425cd1063a8196b970c1a4

  • SHA256

    9cef746651b3dc0dc351663360dc8b614e4bd4d82b44ed13a212e988d2f3c072

  • SHA512

    7f40d908eb3fac4919fc8c6eac28e6ece5af3d744018a179945ce9b200e6f7c3553135ed73a91206d88697ecd9b572b99edf8e7ed1a7b9295f55d9bd5a166929

  • SSDEEP

    24576:t8kyGyOYQzlGI6AAgZ5KwJSXqfejQP+xyTAWHt:t8kypOYjI6A1r8XKmxkN

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5611396317:AAGsgxx4hwlHZa8kVodTZpCQipWRFwFvBO0/sendMessage?chat_id=5237953097

Targets

    • Target

      9cef746651b3dc0dc351663360dc8b614e4bd4d82b44ed13a212e988d2f3c072

    • Size

      820KB

    • MD5

      5344e37c86b3d841a58be30d101b9172

    • SHA1

      bd05b90d215555d814425cd1063a8196b970c1a4

    • SHA256

      9cef746651b3dc0dc351663360dc8b614e4bd4d82b44ed13a212e988d2f3c072

    • SHA512

      7f40d908eb3fac4919fc8c6eac28e6ece5af3d744018a179945ce9b200e6f7c3553135ed73a91206d88697ecd9b572b99edf8e7ed1a7b9295f55d9bd5a166929

    • SSDEEP

      24576:t8kyGyOYQzlGI6AAgZ5KwJSXqfejQP+xyTAWHt:t8kypOYjI6A1r8XKmxkN

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks