Overview

overview

10

Static

static

3

8615169ad3...ca.exe

windows7-x64

10

8615169ad3...ca.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a0240460a569a2e87f0231f83031c929.bin

  • Size

    598KB

  • Sample

    230602-cm5cashh2v

  • MD5

    6e0290445d4412419ebb79765550101a

  • SHA1

    2502469e225bd94017f2834aa940690e21cb182e

  • SHA256

    4b346bec5029b90facab453a001f69ced822260718301fa214b7619c5d7dcd11

  • SHA512

    3350c38a57bb2b879a6a21900b649179cca8a15f1404bbc0a0a687c1841e55f8db73da45c9209f369ee6bca2e65a5c8851065278ada197cab80bee237ca9d916

  • SSDEEP

    12288:qJC/nM5utN3TOI7VDnevKjUphyv3cwMqAn1ZL2M74e9YvS+r37ar5Hxy:Yw5SI7VDOKUpkvs53nqM7pYvS237arBc

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    posta.ni.net.tr
  • Port:
    587
  • Username:
    selen.ozyer@apareia.com.tr
  • Password:
    nilya1957
  • Email To:
    saleseuropower2@yandex.com
C2

https://api.telegram.org/bot5514204561:AAErcjaIvflhP_Fb36V8b-2QdbJLnbLXah8/sendMessage?chat_id=1813585870

Targets

    • Target

      8615169ad317d762db6aac611781bbfa7f96e977e3fcf2e5385a952c8b3a3bca.exe

    • Size

      683KB

    • MD5

      a0240460a569a2e87f0231f83031c929

    • SHA1

      27acaaf3529a328380b08678cff025b5285206a0

    • SHA256

      8615169ad317d762db6aac611781bbfa7f96e977e3fcf2e5385a952c8b3a3bca

    • SHA512

      e0a6cf843d3bd8e1ab082633f81e74bd15c040401b3520bf52f8662f2b752c7b00db8999cf3d90a921c02518bb05d8d6241ea75ca6faf76be84e83a3ec9945d3

    • SSDEEP

      12288:zJ7AMTihh6xhZ6Orz1XBZ5ZjR1OqpZfSEAYnbV/8TP4PZujiGc4q:KMUgh8yJHHjR1LflnbVUEP0jiGc/

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks