General

  • Target

    TKSC2310596000.exe

  • Size

    544KB

  • Sample

    230804-fbnf7ahe75

  • MD5

    c580578c2d1d9203d43537f6e71a7c99

  • SHA1

    ccff8d607eef5159e44fa349fb8fa7e8560600ec

  • SHA256

    c545399c898bb75310af8f052aafc91e44893ff82905d80f3b449321b6c61489

  • SHA512

    0abc9c9b8ce4ce830542e5ee2ab0a93ccf10f13b273ff0791bed71330aba07d9fe9a90dbdde0896dfcf79f928431f2592e215ea4247b9c86142c07124050d44a

  • SSDEEP

    12288:2+15YQvjOuVfIQ3e97weN2LhB0iXmVDW0MDhYm5:2+1XOuv3C92LL0iXm+hYm5

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      TKSC2310596000.exe

    • Size

      544KB

    • MD5

      c580578c2d1d9203d43537f6e71a7c99

    • SHA1

      ccff8d607eef5159e44fa349fb8fa7e8560600ec

    • SHA256

      c545399c898bb75310af8f052aafc91e44893ff82905d80f3b449321b6c61489

    • SHA512

      0abc9c9b8ce4ce830542e5ee2ab0a93ccf10f13b273ff0791bed71330aba07d9fe9a90dbdde0896dfcf79f928431f2592e215ea4247b9c86142c07124050d44a

    • SSDEEP

      12288:2+15YQvjOuVfIQ3e97weN2LhB0iXmVDW0MDhYm5:2+1XOuv3C92LL0iXm+hYm5

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks