General
-
Target
3e9308e2f99dd4d70da9b6b4ca32e40c.bin
-
Size
687KB
-
Sample
230319-v9mpwahd48
-
MD5
3df6efc501df59af6d1b7cd7717972f6
-
SHA1
033e6fa27bf236338e08b2542e91e5eb2e7f28d5
-
SHA256
ad7c348634049fe473d17bc50a72594761f2687b3537baf3dd3c28c909f97161
-
SHA512
fa6d0037f1a846d5e1096dae14ba2f4982878e87aa782ec40e6906ddb1f18d057feed58e289c81ee69e559cf0b82997c1879b7397a43a678be6a960386abe868
-
SSDEEP
12288:ptZOp1lzgpaPqSBddgjXAftDrYW3Qju6g4I+jD9qTQqIdePlsQ4c2KwYVf8:DIp1lcpCqy8AfhYSQjub4DjD9q0HePrU
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
PI#6XIKeoUkC
Targets
-
-
Target
a3245464c924b6be132cf5c4276e6d164188d5046eb9f93e479302419bf37faa.exe
-
Size
805KB
-
MD5
3e9308e2f99dd4d70da9b6b4ca32e40c
-
SHA1
086215cc869db56c4551aff7c339978dc4d82c32
-
SHA256
a3245464c924b6be132cf5c4276e6d164188d5046eb9f93e479302419bf37faa
-
SHA512
7fdbbc47e7ff9475836a576dd0b2a3e740ab565d85fbbce1176ed92e9d523a4392440dfbbd7da01b6c5107ecf84318841dc079b8600e1277061a6935c321e2a1
-
SSDEEP
24576:O9jkj+sLSnVFSsRONGeVsA+45FG2y+Gk6AoSSt7gMJfcMR:O9jkhL0Rm/+WG2W3A8ts6fRR
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-