Overview

overview

10

Static

static

3

732354f17c...95.exe

windows7-x64

10

732354f17c...95.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4f2c6a52e85eed103eccb048c9bb33cd.bin

  • Size

    183KB

  • Sample

    230602-bxfk9ahf7y

  • MD5

    eb2fe171a370568bfe0c1220c8607c33

  • SHA1

    8c816457b40c0eb39bf4f3af7cd716046e941038

  • SHA256

    82ff25d0ed5f617be4b51339f26936c5812fddbff77a39af7b0df77e5097e95f

  • SHA512

    47f4a07b511d314a8eef58a47dd285b9053056626d9c90ad755ec9ada10c6cd71e03b7e66af9d2fedc46d02b155e9936ca6b8d41eb11d85131dd7af86301f3a7

  • SSDEEP

    3072:V5HHg9nUgE4fc1jl9sJKcu7EgTv7TQ0I0Mza/FPdXMtrkI6tajFkbLbn31aJ/:V5gVUh1jcK7YOv7TQ30+onXMiI6tKkbY

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    posta.ni.net.tr
  • Port:
    587
  • Username:
    selen.ozyer@apareia.com.tr
  • Password:
    nilya1957
  • Email To:
    saleseuropower2@yandex.com
C2

https://api.telegram.org/bot5514204561:AAErcjaIvflhP_Fb36V8b-2QdbJLnbLXah8/sendMessage?chat_id=1813585870

Targets

    • Target

      732354f17c07ca3b384ec5c2cdceed76395fbbdf3cd9e615d2383a444e35d695.exe

    • Size

      222KB

    • MD5

      4f2c6a52e85eed103eccb048c9bb33cd

    • SHA1

      83a26cb54d7259506f68182951da8a4426cb1e4f

    • SHA256

      732354f17c07ca3b384ec5c2cdceed76395fbbdf3cd9e615d2383a444e35d695

    • SHA512

      61bf47d3bc10b9f98705a18d13cf8d363905cd89d43ab18e3a56aa1e76b1549fa33b08e97b7f767afd3a5199b3679c0a6048351cf0660aab64b07c1143089b07

    • SSDEEP

      6144:W5hrsBs2tROJ8VUgol+Ow3iUUUsSdLTVy:W5hrs3tRjWFlSdsSLJ

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks