General

  • Target

    56280d91e6528367bf62eb853a01363b.bin

  • Size

    482KB

  • Sample

    230505-w2sftsda79

  • MD5

    56280d91e6528367bf62eb853a01363b

  • SHA1

    9fd3e8f0e0526b912408e20ce2cb3ea3915cbf32

  • SHA256

    dff3c133d3b9008dfd2205b23cc0bb6ff10c21e3ffcca35501fb72900fb535f0

  • SHA512

    1e270b8e57372512e86e892fbbb462d8d8cf4cd845f0c8a1f788a486731a0e525d9248fc7b6480799fac73e38430f6590cf51ebdea49f1518205272ed0b16652

  • SSDEEP

    6144:pg0JxHI5IEaw6liixj93Q9Oo4Eq8eC4/hQ2oY4hShrz7274G/qmwp5oAmkUwfWIW:pM5TSj9gQhR/JicX27e/osUwL94zH

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.anahataresort.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Anahata#102021*

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      5faf15d82b0485d240a92b6b9d4736b4a85b477c578728f78292e51c70529e94.exe

    • Size

      656KB

    • MD5

      38a229cb268dd8a931ab314b82634871

    • SHA1

      0dc186cc87aa69df580d948ba75ba1c6f53c71de

    • SHA256

      5faf15d82b0485d240a92b6b9d4736b4a85b477c578728f78292e51c70529e94

    • SHA512

      c2d8078ad839c73cd03ec51ced60472683232e392ae2d95a2c08be97c40a27ca48339550aa0ad8dfa4677440e113df40cddbd4e3d8859bce4cddafa1d330a0cd

    • SSDEEP

      6144:X1mpdUb8y/pcdANedFbX3ihvT+d5sn8xT5HGlAJ35NBto1PDClpN35mEa187BCOe:XpRcdQedFr3+Csn8HcAJpziPOPV56o

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks