snakekeylogger | 3db43c5dc157dc3380f32a9814c1e590a1cb1fe0e9ba35706e56888de9230b4c

General

Target

blessed1.ps1
Size

540KB
Sample

230316-w2mwcaee8s
MD5

297b8e10650755c2076d5ea6c298d7b5
SHA1

3ef255b390d42017069762e5b2f068a2dbb5bfe5
SHA256

3db43c5dc157dc3380f32a9814c1e590a1cb1fe0e9ba35706e56888de9230b4c
SHA512

04fb650b1eb36296ac4b3ff7d80f0fa077214e899f9c6139bbec3f6b7ddee6980e15989b337f9f4f176e994a7a25f69e64c4921e814298eacb8baa82f9648b12
SSDEEP

12288:VXD4xmh3fnwCiEgzChnmYyUX3EjZrk2SvvGrdKNOQCqe6YG:VXEG

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://185.216.71.84/
Port:
21
Username:
blessed
Password:
!!@@##$$%%^^

Targets

- Target
  
  blessed1.ps1
- Size
  
  540KB
- MD5
  
  297b8e10650755c2076d5ea6c298d7b5
- SHA1
  
  3ef255b390d42017069762e5b2f068a2dbb5bfe5
- SHA256
  
  3db43c5dc157dc3380f32a9814c1e590a1cb1fe0e9ba35706e56888de9230b4c
- SHA512
  
  04fb650b1eb36296ac4b3ff7d80f0fa077214e899f9c6139bbec3f6b7ddee6980e15989b337f9f4f176e994a7a25f69e64c4921e814298eacb8baa82f9648b12
- SSDEEP
  
  12288:VXD4xmh3fnwCiEgzChnmYyUX3EjZrk2SvvGrdKNOQCqe6YG:VXEG
Score

10^/10

persistence snakekeylogger collection keylogger stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Registers COM server for autorun
  persistence
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Snake Keylogger

Snake Keylogger payload

Registers COM server for autorun

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3