General

  • Target

    d8a5317c8c4e740557a01574cfebf71f.exe

  • Size

    753KB

  • Sample

    230805-lwmnaacf71

  • MD5

    d8a5317c8c4e740557a01574cfebf71f

  • SHA1

    129fe4f6b63412c22f728d7fec1da8cb69c9e0a5

  • SHA256

    c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059

  • SHA512

    4e52469c027f9a8a70cae3565bc7868b720c9249ba022db5eb4f636bb770e905e78c758792bae3174f499eb1b9ba09f359b0fa54fab811db0fa05cdd8a781916

  • SSDEEP

    12288:FfNMRf0t5/T4U0T2yhANAv3g5uFDztzT90QQpO:FfyRc3bQ22A2vjtzTiXg

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      d8a5317c8c4e740557a01574cfebf71f.exe

    • Size

      753KB

    • MD5

      d8a5317c8c4e740557a01574cfebf71f

    • SHA1

      129fe4f6b63412c22f728d7fec1da8cb69c9e0a5

    • SHA256

      c92819a5b69535e455893801e3ceabc29f5659a213ff93d4891b36c8af740059

    • SHA512

      4e52469c027f9a8a70cae3565bc7868b720c9249ba022db5eb4f636bb770e905e78c758792bae3174f499eb1b9ba09f359b0fa54fab811db0fa05cdd8a781916

    • SSDEEP

      12288:FfNMRf0t5/T4U0T2yhANAv3g5uFDztzT90QQpO:FfyRc3bQ22A2vjtzTiXg

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks