General

  • Target

    DHLQ-00445321121.exe

  • Size

    517KB

  • Sample

    230718-hcxglagf85

  • MD5

    1c06771aa25dd143897aa88d8f99bd1d

  • SHA1

    56c5d9ee91ab124be1403aaadb540bc46829722c

  • SHA256

    11c3a0d1cc7a212c5a395241bec313edb5ecd4da981a7bb0cb68387594932e3f

  • SHA512

    9fc3907fa39071adaa88b11ac1494b6dad556053929a3d4649428da31d29c28f2f9aee44fe4ba38b643e1078baede0787280506646efe1f444559f2069fb820b

  • SSDEEP

    12288:Cj0l8phLwlFL5C0wLtDf0DT8fIQI/RAWoVqTrQaSejL8Z:IAAKlpRw5IDAnm4qTrQaSejL8Z

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://almasa.com.pe/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    i($Ei~YKMTZY

Targets

    • Target

      DHLQ-00445321121.exe

    • Size

      517KB

    • MD5

      1c06771aa25dd143897aa88d8f99bd1d

    • SHA1

      56c5d9ee91ab124be1403aaadb540bc46829722c

    • SHA256

      11c3a0d1cc7a212c5a395241bec313edb5ecd4da981a7bb0cb68387594932e3f

    • SHA512

      9fc3907fa39071adaa88b11ac1494b6dad556053929a3d4649428da31d29c28f2f9aee44fe4ba38b643e1078baede0787280506646efe1f444559f2069fb820b

    • SSDEEP

      12288:Cj0l8phLwlFL5C0wLtDf0DT8fIQI/RAWoVqTrQaSejL8Z:IAAKlpRw5IDAnm4qTrQaSejL8Z

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks