General

  • Target

    3399fc936d74594ca467f3e0224eba655e854ea064f0c11f311ce6c72f3dc009exe_JC.exe

  • Size

    563KB

  • Sample

    230803-s8kg1sfb9v

  • MD5

    a3a0f7c65d064edfcb7e72361aacc6ab

  • SHA1

    ce1635ae1b2e9efb91030ed135069513d226c262

  • SHA256

    3399fc936d74594ca467f3e0224eba655e854ea064f0c11f311ce6c72f3dc009

  • SHA512

    9efd3fc52d4896247a2ba427bbcf156be6ab1ef68281d9af493a090d0ef01e2aa8d572d89028797fe3eeb99c5c367b1e69d0077039f471a69c36850c5195ad8a

  • SSDEEP

    6144:JEDeFkyh1E/65Q7nEbxFUPKpgr3UGwh1E/65Q7nEhe82wWMaYEYbxFUPKpgr3Ugs:WDeFSp0465c2Jc6Zeq91im6omxg

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      3399fc936d74594ca467f3e0224eba655e854ea064f0c11f311ce6c72f3dc009exe_JC.exe

    • Size

      563KB

    • MD5

      a3a0f7c65d064edfcb7e72361aacc6ab

    • SHA1

      ce1635ae1b2e9efb91030ed135069513d226c262

    • SHA256

      3399fc936d74594ca467f3e0224eba655e854ea064f0c11f311ce6c72f3dc009

    • SHA512

      9efd3fc52d4896247a2ba427bbcf156be6ab1ef68281d9af493a090d0ef01e2aa8d572d89028797fe3eeb99c5c367b1e69d0077039f471a69c36850c5195ad8a

    • SSDEEP

      6144:JEDeFkyh1E/65Q7nEbxFUPKpgr3UGwh1E/65Q7nEhe82wWMaYEYbxFUPKpgr3Ugs:WDeFSp0465c2Jc6Zeq91im6omxg

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks