General
-
Target
PO_287104.exe
-
Size
842KB
-
Sample
230216-h9jl1agd87
-
MD5
f615e598d877065643acffd926d9ae49
-
SHA1
5474483ec48f3e34824990140d880186fe65a87c
-
SHA256
075f9863f008b047005fada351f2e8f664d3896d40d3592427c0d3c420612302
-
SHA512
8a06f2816a09c4ca4f9e272bb4d8e19a41b9d88be5e3515b226729fe6db8308a20b95fcc199ca45892f7123713291b6e17de7a170b6bfdffd084f46318df8dd0
-
SSDEEP
12288:JO6IyPNgrxDd/V964VTe4wSOwHau5bGdTL4iCKJYodh:Uolgrx7osTeLYbYdTL4iCK9
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5478319803:AAHq9LkDUFBRvjOub4YfRlPURZxM59_BVnc/sendMessage?chat_id=5516439768
Targets
-
-
Target
PO_287104.exe
-
Size
842KB
-
MD5
f615e598d877065643acffd926d9ae49
-
SHA1
5474483ec48f3e34824990140d880186fe65a87c
-
SHA256
075f9863f008b047005fada351f2e8f664d3896d40d3592427c0d3c420612302
-
SHA512
8a06f2816a09c4ca4f9e272bb4d8e19a41b9d88be5e3515b226729fe6db8308a20b95fcc199ca45892f7123713291b6e17de7a170b6bfdffd084f46318df8dd0
-
SSDEEP
12288:JO6IyPNgrxDd/V964VTe4wSOwHau5bGdTL4iCKJYodh:Uolgrx7osTeLYbYdTL4iCK9
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-