Overview

overview

10

Static

static

1

Swift Copy.exe

windows7-x64

10

Swift Copy.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Swift Copy.exe

  • Size

    758KB

  • Sample

    230327-yemyyafa27

  • MD5

    97dda9477c75520715b9f892bb9dbcda

  • SHA1

    5f808069589336be86d65ddd34d0301af0331e8b

  • SHA256

    53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860

  • SHA512

    22bf5d7b2c1e7cbee80b1e33c33c65a604ff6538a6b9b742d7aab47ffb8c8e0f3b288e41757df1c59ce7f5be6c94527b278ecc7dfaf1911baa125f75da7a2ccc

  • SSDEEP

    12288:td7w9YO/R3rM52Wi/ODakc2MJR2Mh/SGLuYj26wH6Mulz4fr5TtiGELCAEgiV5xg:Dw9YOqg/ODFYR5tLDj261Mulqr5Tw3Vg

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6284958682:AAFqhG3qHKFjAq48ezySmL8vRDzlw2Jx9s8/sendMessage?chat_id=5636036075

Targets

    • Target

      Swift Copy.exe

    • Size

      758KB

    • MD5

      97dda9477c75520715b9f892bb9dbcda

    • SHA1

      5f808069589336be86d65ddd34d0301af0331e8b

    • SHA256

      53186731a63a71683ff6672b8fad44b2d8df96dd8c11b9817eb2a37422d65860

    • SHA512

      22bf5d7b2c1e7cbee80b1e33c33c65a604ff6538a6b9b742d7aab47ffb8c8e0f3b288e41757df1c59ce7f5be6c94527b278ecc7dfaf1911baa125f75da7a2ccc

    • SSDEEP

      12288:td7w9YO/R3rM52Wi/ODakc2MJR2Mh/SGLuYj26wH6Mulz4fr5TtiGELCAEgiV5xg:Dw9YOqg/ODFYR5tLDj261Mulqr5Tw3Vg

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks