General

  • Target

    508bc15e631f38832f95774c655bf4c0584801d21b09922e5d90807fb6849a3a

  • Size

    729KB

  • Sample

    230505-w12m4sch94

  • MD5

    f45ab2421b6348efb4660d8b93f39f37

  • SHA1

    ce673fd3c637ff424b1e7562058c8a2f05a8d4fc

  • SHA256

    508bc15e631f38832f95774c655bf4c0584801d21b09922e5d90807fb6849a3a

  • SHA512

    b67c6bfc56388227f95067fc8c937b4c1ec0f6fbcec3a30d11de68813276afd08152a2ba8680ba20c9dc294041411cfda241b2443650c15c1c3152c503f107e5

  • SSDEEP

    12288:WX11KOuY1+8DVrTW6jtf+5rwiY86xHEAOybetpvvbprgsGcI/3:CPKORU4TJh86pOySXvvlrscI/3

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      508bc15e631f38832f95774c655bf4c0584801d21b09922e5d90807fb6849a3a

    • Size

      729KB

    • MD5

      f45ab2421b6348efb4660d8b93f39f37

    • SHA1

      ce673fd3c637ff424b1e7562058c8a2f05a8d4fc

    • SHA256

      508bc15e631f38832f95774c655bf4c0584801d21b09922e5d90807fb6849a3a

    • SHA512

      b67c6bfc56388227f95067fc8c937b4c1ec0f6fbcec3a30d11de68813276afd08152a2ba8680ba20c9dc294041411cfda241b2443650c15c1c3152c503f107e5

    • SSDEEP

      12288:WX11KOuY1+8DVrTW6jtf+5rwiY86xHEAOybetpvvbprgsGcI/3:CPKORU4TJh86pOySXvvlrscI/3

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks