General

  • Target

    d95620daeaadaeaf64a5524ce_JC.exe

  • Size

    499KB

  • Sample

    230729-plk89acf86

  • MD5

    ffb0bf1556c28637409f9d150d70f0c8

  • SHA1

    08a4890396140d0f9d5f0acdf171d11997422d10

  • SHA256

    d95620daeaadaeaf64a5524ce23f6a73d286f9d5ece92f094c5ca081cbd219db

  • SHA512

    d9143850fc6637c4e52e7ff0bbaa580da5fb855fa1848314794fa92c56386c688796a5c052d90492993e0b8e99f3400b81725941e31c7d87dfd34898aad184a0

  • SSDEEP

    6144:U9U5jOW8utKw9PCQTpbdOIShLe7OEehuozcO8BnYN1iQ3X0ajAvy8CNwTEcygz:vjOWTDTNbdO9N2n+zc9BnYN19XWvy8C

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    webmail.satnet.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    reve1563

Targets

    • Target

      d95620daeaadaeaf64a5524ce_JC.exe

    • Size

      499KB

    • MD5

      ffb0bf1556c28637409f9d150d70f0c8

    • SHA1

      08a4890396140d0f9d5f0acdf171d11997422d10

    • SHA256

      d95620daeaadaeaf64a5524ce23f6a73d286f9d5ece92f094c5ca081cbd219db

    • SHA512

      d9143850fc6637c4e52e7ff0bbaa580da5fb855fa1848314794fa92c56386c688796a5c052d90492993e0b8e99f3400b81725941e31c7d87dfd34898aad184a0

    • SSDEEP

      6144:U9U5jOW8utKw9PCQTpbdOIShLe7OEehuozcO8BnYN1iQ3X0ajAvy8CNwTEcygz:vjOWTDTNbdO9N2n+zc9BnYN19XWvy8C

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks