Overview

overview

10

Static

static

1

Swift Copy.exe

windows7-x64

10

Swift Copy.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Swift Copy.zip

  • Size

    712KB

  • Sample

    230327-snbpdaea56

  • MD5

    df3cabdc3118917bee6963867fc39893

  • SHA1

    acb4f5d46da439907a89f6bd34dbb520f7e5e401

  • SHA256

    8da2351abef14c9b2537c3e3d94b5c23ef9f5f3b4fb884bc99d42c7ad09493b4

  • SHA512

    0b26ddeaee5142181060d9314adb8d61c22afe097ff2e028523b7ab49778017b789495bdf150d224d58b1f9e0396428dcbae4156ed33ab08d03730d157134f64

  • SSDEEP

    12288:yeMAGqrOB93rMR2Wi/O5ak02MJRGMb/SGLYYJ2YwHmMulZefr5TFiGULCAEgih52:yeBXrOQ8/O5FwRHtLtJ2YTMulyr5TYVd

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6284958682:AAFqhG3qHKFjAq48ezySmL8vRDzlw2Jx9s8/sendMessage?chat_id=5636036075

Targets

    • Target

      Swift Copy.exe

    • Size

      758KB

    • MD5

      97dda9477c75520715b9f892bb9dbcda

    • SHA1

      5f808069589336be86d65ddd34d0301af0331e8b

    • SHA256

      53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860

    • SHA512

      22bf5d7b2c1e7cbee80b1e33c33c65a604ff6538a6b9b742d7aab47ffb8c8e0f3b288e41757df1c59ce7f5be6c94527b278ecc7dfaf1911baa125f75da7a2ccc

    • SSDEEP

      12288:td7w9YO/R3rM52Wi/ODakc2MJR2Mh/SGLuYj26wH6Mulz4fr5TtiGELCAEgiV5xg:Dw9YOqg/ODFYR5tLDj261Mulqr5Tw3Vg

    Score
    10/10
    snakekeyloggerkeyloggerstealercollectionspyware

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks