General

  • Target

    a4251c2f1be71e7bb9cf721d3338181bca9be4a9c6a08eed0a3ac2356aa69770

  • Size

    542KB

  • Sample

    230505-xfr4lsgh3y

  • MD5

    c6a650a8692da969123d75391793c8fa

  • SHA1

    10fcf62c926df01dc352f405b3de5d9bdc4c5012

  • SHA256

    a4251c2f1be71e7bb9cf721d3338181bca9be4a9c6a08eed0a3ac2356aa69770

  • SHA512

    4f6715a6143def68e379c9d321ba562b28335dde28eb55278d60bbc1292c9bf4553862b594a49007aba508b77ad1275dcacee4ec87ca190e9b0a4c4bb86c10dc

  • SSDEEP

    12288:lPgUCbRA1qRYBh3mkqhM8rcA+/hCm5Kb:SbOBpmkqM8rct/4MKb

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      a4251c2f1be71e7bb9cf721d3338181bca9be4a9c6a08eed0a3ac2356aa69770

    • Size

      542KB

    • MD5

      c6a650a8692da969123d75391793c8fa

    • SHA1

      10fcf62c926df01dc352f405b3de5d9bdc4c5012

    • SHA256

      a4251c2f1be71e7bb9cf721d3338181bca9be4a9c6a08eed0a3ac2356aa69770

    • SHA512

      4f6715a6143def68e379c9d321ba562b28335dde28eb55278d60bbc1292c9bf4553862b594a49007aba508b77ad1275dcacee4ec87ca190e9b0a4c4bb86c10dc

    • SSDEEP

      12288:lPgUCbRA1qRYBh3mkqhM8rcA+/hCm5Kb:SbOBpmkqM8rct/4MKb

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks