General

  • Target

    DDCD1F6072557A945AE9820B5669FD06528047A84DFDBD7327CCAB42A3BCCA8F

  • Size

    181KB

  • Sample

    230718-zkk7zaef5y

  • MD5

    009d7a426f0b77384da5cf6d3cdbf157

  • SHA1

    4109733f498b88d2a05dd420098ba3602b4cb7d4

  • SHA256

    ddcd1f6072557a945ae9820b5669fd06528047a84dfdbd7327ccab42a3bcca8f

  • SHA512

    3a1b0a9a8d0ad31d94643b17e2698adec52afa0865ee356bed219bfc73ece4ac61aba545c3974b2a0fe070aed30adaa8f7289b8e39f3f52380aa57bbf7d96356

  • SSDEEP

    3072:V+CNDiPNeIoZ3CHBx4LjxiDZuh3Un/p+5CyeV+HzkcqCdkvEKjmkCQnZhzD9iira:V+QDi0D0hMsDZg6uZeVM4bCyfsMZhzDS

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    uglyhousebuy.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ]YSPgjNCuF;W

Targets

    • Target

      fatura proforma xls.exe

    • Size

      221KB

    • MD5

      c8b464bb63553f38026beb033afe58e9

    • SHA1

      30ccc2ee2410802ad90275d13ddb4dc2cca11f45

    • SHA256

      6e6f28265a65efc29248f1bc10513f4c2320edba637d87f8341df71fa113dcd3

    • SHA512

      4ffd37544be2e15203e0ed79370fa80910d05f8fe44b4549e5224abf2820a6172e01ed8f555eed5c8e02992616e7afdd48ad4a718bbac3c303102616ddb448f1

    • SSDEEP

      6144:S6v1ebfDVAxV+szpZeVMebrmySqizl3D4hS:S6v12pAxV+sdY2efmnFlX

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks