General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.7989.2626.exe

  • Size

    573KB

  • Sample

    230718-mq39hshe87

  • MD5

    c69ad29b13b8a81780fb8dcc19a9e860

  • SHA1

    c651aad27968d6963efd00752b4d9342948cd70c

  • SHA256

    a07e48874a69880208333c95cc881484421695b907c107e9e75593c75ec59eb8

  • SHA512

    68dd8d05b7f51634d5c8bd9e408957ddd3db1cc9d11cfe5f0d28daadb9f4d820526d9c4beeb92ca98ac0d69cfc489a543181e133b97d5d95b86ac541100ce2c7

  • SSDEEP

    12288:zmAY2kcdbL4Eft4mYwADdLJI0sCCjO9Y8mpc9vfipjFXrJoW3PQLS8jNc:yN6GEfzYFJLWRjOrmgibJoyQdN

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    webmail.satnet.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    reve1563

Targets

    • Target

      SecuriteInfo.com.Win32.PWSX-gen.7989.2626.exe

    • Size

      573KB

    • MD5

      c69ad29b13b8a81780fb8dcc19a9e860

    • SHA1

      c651aad27968d6963efd00752b4d9342948cd70c

    • SHA256

      a07e48874a69880208333c95cc881484421695b907c107e9e75593c75ec59eb8

    • SHA512

      68dd8d05b7f51634d5c8bd9e408957ddd3db1cc9d11cfe5f0d28daadb9f4d820526d9c4beeb92ca98ac0d69cfc489a543181e133b97d5d95b86ac541100ce2c7

    • SSDEEP

      12288:zmAY2kcdbL4Eft4mYwADdLJI0sCCjO9Y8mpc9vfipjFXrJoW3PQLS8jNc:yN6GEfzYFJLWRjOrmgibJoyQdN

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks