snakekeylogger | 2532305e65e74d6caeddb1574e80c48cfb58da37d72f34ec1dc4d0efee84a41f

General

Target

949d00495bd796de4f53cad348b8908e65f3cf92ccaeec90b165988ef0517bbb.zip
Size

350KB
Sample

230310-nk4hrsdc95
MD5

2fbc7b46eb6c9d645116edd2eba9d3b5
SHA1

6eabf198b9e1c85fdb4237949c39eb3373b40ed9
SHA256

2532305e65e74d6caeddb1574e80c48cfb58da37d72f34ec1dc4d0efee84a41f
SHA512

e39efac4fa44dc7aff5bb196a95588cdd416d9cfd7439cd266350af481ad054c3f07f5442423ecad6acd97b383143ef60ae8a15e458b10536d9eca8d31f50af8
SSDEEP

6144:NyQ67X6KDx0LsvgPLY/qErgkpmfq5a0RIebNfbjj0Xur/8sOKt45h+6eLgo6:SX6KiCgPVErgk0C5a0dfbjj0EksOKtKp

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/sendMessage?chat_id=5928888099

Targets

- Target
  
  949d00495bd796de4f53cad348b8908e65f3cf92ccaeec90b165988ef0517bbb.exe
- Size
  
  740KB
- MD5
  
  5bf3bd8320d150f074d5dbbbf4468e7c
- SHA1
  
  0b8e8a89ca7ff025315e9a46bd386e6d78272f83
- SHA256
  
  949d00495bd796de4f53cad348b8908e65f3cf92ccaeec90b165988ef0517bbb
- SHA512
  
  a77aa181ebf92d3c9cd44826914178aa42484e33e9b09018784f14f09cdc6bd1c7840ee97f04cbb5354a5db8ac23ad02d391231c583e1d616cac768bae270094
- SSDEEP
  
  12288:2TvpWnX9zt58IXAExxphTTYLGJNHAbCEts728dZQk0ApdKnHxlzZ4yCPW5LMGVbC:2MNRfJYZa2ZGykmYGmp
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Snake Keylogger

Snake Keylogger payload

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2