General

  • Target

    27a1dbfbaa90bcb6a75d3ca5b633bc161a9cc780b3f8e4e13e2b2557e840442b

  • Size

    912KB

  • Sample

    230505-wvsg9aec6w

  • MD5

    6a21ed805db791eda807badcab8d562a

  • SHA1

    e57eac081867e60501a1b9f814c9c7504eebe9d2

  • SHA256

    27a1dbfbaa90bcb6a75d3ca5b633bc161a9cc780b3f8e4e13e2b2557e840442b

  • SHA512

    7ba881c81e31bcd2387ee36877e61142521d909a66a1559c454cd75fe882e9da8550d33289eac1c5bddf3cef20008cef652b8e24ca4134aaaee179a27756b7d9

  • SSDEEP

    12288:fpBq5GkjmZ1ni4IyIHp+bWM3mr5S+MF8NcU/zQ4baiG1qKQaf8i8vONLyZyS7cH8:fpkGkjG9qemU+w8cU/zQ2aR+aEi4C

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      27a1dbfbaa90bcb6a75d3ca5b633bc161a9cc780b3f8e4e13e2b2557e840442b

    • Size

      912KB

    • MD5

      6a21ed805db791eda807badcab8d562a

    • SHA1

      e57eac081867e60501a1b9f814c9c7504eebe9d2

    • SHA256

      27a1dbfbaa90bcb6a75d3ca5b633bc161a9cc780b3f8e4e13e2b2557e840442b

    • SHA512

      7ba881c81e31bcd2387ee36877e61142521d909a66a1559c454cd75fe882e9da8550d33289eac1c5bddf3cef20008cef652b8e24ca4134aaaee179a27756b7d9

    • SSDEEP

      12288:fpBq5GkjmZ1ni4IyIHp+bWM3mr5S+MF8NcU/zQ4baiG1qKQaf8i8vONLyZyS7cH8:fpkGkjG9qemU+w8cU/zQ2aR+aEi4C

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks