General
-
Target
INV-00289202.exe
-
Size
289KB
-
Sample
230328-gzbmzahc66
-
MD5
5a1cdfd26e4afd8433348e47b287882c
-
SHA1
af031bb897a71ce50907c77e2fc7518c60c80598
-
SHA256
3355b6fac696f3aad246fd34404a407dd9a7945f540537ec695bb1cb75c337c0
-
SHA512
009d9eba87e13a9b4db8ee043dbc3ac3565add30a86b7b926b911a773d6d2817a9525e9fceb5b6e330b849ebf1a0f22fb992b58a111e5833224e57ac375b853c
-
SSDEEP
6144:bYa6/lP1OjJvVJMdhINFE/MWfwfQJwwxCNfqp+a0meiesqRIvVzcc:bYllPkjVVOdhINFBk1wobvMoD
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6180860165:AAH5meoxRqYOnd7z0M_zkiqQ7pmOf_hbrUY/sendMessage?chat_id=6077046490
Targets
-
-
Target
INV-00289202.exe
-
Size
289KB
-
MD5
5a1cdfd26e4afd8433348e47b287882c
-
SHA1
af031bb897a71ce50907c77e2fc7518c60c80598
-
SHA256
3355b6fac696f3aad246fd34404a407dd9a7945f540537ec695bb1cb75c337c0
-
SHA512
009d9eba87e13a9b4db8ee043dbc3ac3565add30a86b7b926b911a773d6d2817a9525e9fceb5b6e330b849ebf1a0f22fb992b58a111e5833224e57ac375b853c
-
SSDEEP
6144:bYa6/lP1OjJvVJMdhINFE/MWfwfQJwwxCNfqp+a0meiesqRIvVzcc:bYllPkjVVOdhINFBk1wobvMoD
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-