General
-
Target
2a295d2593b44e3429bb9d86b61f28d36578c6840d19cd5641fbb59cfae66580.zip
-
Size
976KB
-
Sample
230321-qqxzaaae98
-
MD5
e07b3df7f222fe549329d82aad3f0d52
-
SHA1
07fda974e2a03b9ac4433ad959b2d9307b86b0ac
-
SHA256
7e64f8a5f14ee5c03024678088a37be1a02f4a137a06fc33510cb9ede1b19226
-
SHA512
f5d4c48d415435b2a55789ff204256740ac3780880b46fbf5f58a513d67a17bfe709b725360705e64a1ebd7de4732f70c714471323d0262d7b0e5dc3618332d8
-
SSDEEP
24576:oEF5KjJLSOqKV72WQz0ScQwyz24o+MoBYflvfhD4mUm2GdsiAhwjFMzEQo:oa5aX/729z3c1iZf2tvfhD4m/m6pl
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
doDHyw%0 - Email To:
[email protected]
Targets
-
-
Target
2a295d2593b44e3429bb9d86b61f28d36578c6840d19cd5641fbb59cfae66580.xls
-
Size
1.1MB
-
MD5
3963fc63e7f60f12b70794ab87ce54cd
-
SHA1
299bc38a75e6051fc7bb7a6880b4cd1f17792a6d
-
SHA256
2a295d2593b44e3429bb9d86b61f28d36578c6840d19cd5641fbb59cfae66580
-
SHA512
2f386d93273bc806faaba4acf1453cb5d3a55f88e2d08527fc3e41c8fa20b7ebe7089cf5b8f3642ded7fce453afbaa9b7e89086ca20b012725305b8f5c9ac0c2
-
SSDEEP
24576:SLKWWQmmav30xB+MXUu9/20+MXUu9L3bVn+MXUu903bVKrFWwyvtu01nwR:SLKLQmmQ30r+MXV9t+MXV9L3bVn+MXVZ
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-