snakekeylogger | 85f560faef36e2e4f62469599952a8757125682de1520950a07a8dd6c1bbb8bd

General

Target

HEUR-Trojan-Spy.MSIL.SnakeLogger.gen-85f560faef36e2e4f62469599952a8757125682de1520950a07a8dd6c1bbb8bd
Size

589KB
Sample

230605-s8hcnahd74
MD5

86725fab299e8c95fe17634aab775bc5
SHA1

2f24bbca7865b6204481832d867597f8a5a4a65b
SHA256

85f560faef36e2e4f62469599952a8757125682de1520950a07a8dd6c1bbb8bd
SHA512

ada43f241533c0a2fb7324324d5c819e82f582c3df5d92af66336146b959d94a30e590c8c289dc7cfa58f8b19c8c79773647a89a5eabcb870dd8e4538e6b3929
SSDEEP

12288:AAbXegQVt17urnyY+JqUUiBy1yFoz1NDEWxF:AaryJsAbFOXDEgF

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5843567515:AAEdtJWwcJKNn64U81CKVdG-li_Ejds8raM/sendMessage?chat_id=1639214896

Targets

- Target
  
  HEUR-Trojan-Spy.MSIL.SnakeLogger.gen-85f560faef36e2e4f62469599952a8757125682de1520950a07a8dd6c1bbb8bd
- Size
  
  589KB
- MD5
  
  86725fab299e8c95fe17634aab775bc5
- SHA1
  
  2f24bbca7865b6204481832d867597f8a5a4a65b
- SHA256
  
  85f560faef36e2e4f62469599952a8757125682de1520950a07a8dd6c1bbb8bd
- SHA512
  
  ada43f241533c0a2fb7324324d5c819e82f582c3df5d92af66336146b959d94a30e590c8c289dc7cfa58f8b19c8c79773647a89a5eabcb870dd8e4538e6b3929
- SSDEEP
  
  12288:AAbXegQVt17urnyY+JqUUiBy1yFoz1NDEWxF:AaryJsAbFOXDEgF
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Snake Keylogger

Snake Keylogger payload

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2