General

  • Target

    80c0c7648149fdb4b41f5abc6316de36da5_JC.exe

  • Size

    590KB

  • Sample

    230729-n44ymsce72

  • MD5

    599dbb42835f2c2389a3ac00625c6d2d

  • SHA1

    18681d0de8bfc3787e3d5d4d90e7813936f6cead

  • SHA256

    80c0c7648149fdb4b41f5abc6316de36da5c3133676d4c9d68e783ba70cb46c0

  • SHA512

    681cfe0817443bbfc36f7038e5a523c8cf67207d5093a5c08ee759dd57333f489c5115b83b1d42912a6cbc7d453a55fe494812bce462cf60805542b08372d2c5

  • SSDEEP

    12288:vbO5VXjsqBLDJ3vUiXsYahj7uGZhdMT4PLrGbO5:zODzRL1ds5zZDmGLrgO

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.kovarviajes.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    P4tt1kr

Targets

    • Target

      80c0c7648149fdb4b41f5abc6316de36da5_JC.exe

    • Size

      590KB

    • MD5

      599dbb42835f2c2389a3ac00625c6d2d

    • SHA1

      18681d0de8bfc3787e3d5d4d90e7813936f6cead

    • SHA256

      80c0c7648149fdb4b41f5abc6316de36da5c3133676d4c9d68e783ba70cb46c0

    • SHA512

      681cfe0817443bbfc36f7038e5a523c8cf67207d5093a5c08ee759dd57333f489c5115b83b1d42912a6cbc7d453a55fe494812bce462cf60805542b08372d2c5

    • SSDEEP

      12288:vbO5VXjsqBLDJ3vUiXsYahj7uGZhdMT4PLrGbO5:zODzRL1ds5zZDmGLrgO

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks