Overview

overview

10

Static

static

3

bb8e3470cf...c7.exe

windows7-x64

10

bb8e3470cf...c7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    495d8af23d282c25c53ac94805eedab8.bin

  • Size

    603KB

  • Sample

    230602-bw5trahf61

  • MD5

    dc7913b31a9125bc1d6007d4aef833eb

  • SHA1

    ed340d7596f71683641daccb21c0ed482a7d96d2

  • SHA256

    7524d853a65af3f74392477d4ba0240dba528fc140ce9ef2693489d5ee4b9c3c

  • SHA512

    a345241a4dd9e662f2c9af75a137b0b62989232ae10820a9ab36e18f2c5f3ae3194c8e1300ea48774f3dae5522021b55dead0f73a7f44ef58c41c40307cd3257

  • SSDEEP

    12288:3WrVzYi9e/r9Et6gyrEHDu5FyRmma4GvSt6gjd3lakJ/ZpQeuiZra:3WrVzYiCCQrEH6sm3DoaKZpaita

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5412042498:AAH4OVSAlB-9yvO0MxObTPVF8mPej6Ln4M4/sendMessage?chat_id=5573520537

Targets

    • Target

      bb8e3470cf05d4aa4e74551b11a39436681db63206d7c1bee0ddb4bdfe99dec7.exe

    • Size

      708KB

    • MD5

      495d8af23d282c25c53ac94805eedab8

    • SHA1

      1a377ec0bcbe1a1ddcdffd7ede7079f38eb3e44e

    • SHA256

      bb8e3470cf05d4aa4e74551b11a39436681db63206d7c1bee0ddb4bdfe99dec7

    • SHA512

      4b656e18c9f5b4986c6866f51d9262b63df70e95acc8dad4f5a107bae7445fcf5b1db4e077ad2cfa0a1973ceb36d9a01c2c43cfdf1a993f8b0b66611baf41839

    • SSDEEP

      12288:pfjU22n22f223229AMTihh6xhZ6Ory76iaCfBs6EqbyGkvSgoKHeWeBU2kJMMMDg:ZU22n22f223222MUgh8ywguy8sHWQMM7

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks