General

  • Target

    1046ce2655057bf77f032867b6966e9305a849885cbf2bfcc950aafefab9a732

  • Size

    545KB

  • Sample

    230505-wrlkjadh3y

  • MD5

    9f0d16482b592714ba54308a101f0fe5

  • SHA1

    60e9f224863ed0069671ab7a8e63151477fb96c8

  • SHA256

    1046ce2655057bf77f032867b6966e9305a849885cbf2bfcc950aafefab9a732

  • SHA512

    c0faec3265026de7be173c320bcbfec830730b18730305431c9eabc6fe4115cd8e522b4aede844e93f3e0940f0b7aa768336c35c581cf153f7b777ae4630eb29

  • SSDEEP

    12288:3otx37BWadGcigYgp4uobYfwSYByy21a7t0lf5mKm3d:qx37kadGWSuoUfwSfJMt0lf514d

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      1046ce2655057bf77f032867b6966e9305a849885cbf2bfcc950aafefab9a732

    • Size

      545KB

    • MD5

      9f0d16482b592714ba54308a101f0fe5

    • SHA1

      60e9f224863ed0069671ab7a8e63151477fb96c8

    • SHA256

      1046ce2655057bf77f032867b6966e9305a849885cbf2bfcc950aafefab9a732

    • SHA512

      c0faec3265026de7be173c320bcbfec830730b18730305431c9eabc6fe4115cd8e522b4aede844e93f3e0940f0b7aa768336c35c581cf153f7b777ae4630eb29

    • SSDEEP

      12288:3otx37BWadGcigYgp4uobYfwSYByy21a7t0lf5mKm3d:qx37kadGWSuoUfwSfJMt0lf514d

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks