snakekeylogger | 0ff965e6f45e08c7ec843a01d22a6393b5a0be7b30029b7fc70a23d1e1aae6ed

General

Target

0ff965e6f45e08c7ec843a01d22a6393b5a0be7b30029b7fc70a23d1e1aae6ed
Size

974KB
Sample

231023-d5qsasff98
MD5

a32103d0dba5cc68eecba6cf3677c330
SHA1

857c73d16536fd14b0054709c5f5f4bcc41528a9
SHA256

0ff965e6f45e08c7ec843a01d22a6393b5a0be7b30029b7fc70a23d1e1aae6ed
SHA512

11800a816a12af9e9dd851c13c8dfa2bb3d791fdf56b693fdd12927639587dca0560cc611a63439f1d3067c96cefded074d8388575dd6bf47374aa0e16e0106c
SSDEEP

24576:dgxk1GJMxhkJTYZhxk1GJMx8ckTfBPdxL1yJMMzNu:di8GJMxhkJTYZf8GJMxXkTtr5yJMMw

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6243209595:AAGECSmdSqJiVZcdFoBvotoaKcKT9Lz5Gvw/sendMessage?chat_id=1070926352

Targets

- Target
  
  Design.bat
- Size
  
  432KB
- MD5
  
  b14e49dd5671ae89f3624ad7561731af
- SHA1
  
  b2aa05a7ad52059560755fa04439413afe184ca3
- SHA256
  
  0477755f4c245b988aa85d1f9375836a72953d6172a7a82f917bbf9e59dd7294
- SHA512
  
  b803330db90b127e178abf83227ddf8f59e00d4929c686f33f6ab9be1806fb15cbca47ff3f058f20fc3d8b0afe2ddefb0b9cdcc502d22a91d2957449774d38ee
- SSDEEP
  
  12288:yD7gUiVHOazGypq9Q/NGbEP2a6JYrOiqot:nHOazTNYEz6c
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  New product.scr
- Size
  
  437KB
- MD5
  
  3e872d74cb692deb202d25859986357d
- SHA1
  
  9ba324ec9ff4f454409f653da5d4d7b694255d6b
- SHA256
  
  701d2231e9b9297450abddc537bfdb90fbb45f679b6da2e1e45b615280bd95c6
- SHA512
  
  90b800106b029cd671216a0566a573975a6ed3bcfd45c255f47b4e8f9766674f01e3548b5f0abce53258ec89885f8bcd04bc9c85a97596152cadcc2b361e86dd
- SSDEEP
  
  12288:AD7gUiVaOazGypq9Q/NGbEPAj6JYrOiqot2:daOazTNYE4j6c
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  PO_202310.pif
- Size
  
  432KB
- MD5
  
  652fc277b44f8481ea0fd8d4a661a1e5
- SHA1
  
  4c2e669b51228ab92a0bcbd55979a234e567da67
- SHA256
  
  77206304b64e1d2f6b0f1dede51784cb8fc6b2dad113676fe065de07a89b8084
- SHA512
  
  ba99a2fedff0308b6eb4c087cb67b17b62059ff29e2b511995eb1fec2a826b2433f1105a0d115daac278a91097b90303e2e1cdb3469b477f5b1e2b730b8f9ae4
- SSDEEP
  
  12288:yD7gUiV2OazGypq9Q/NGbEPGLf6JYrOiqo+ip1:n2OazTNYEW6cmip
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Snake Keylogger

Snake Keylogger payload

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Snake Keylogger

Snake Keylogger payload

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Snake Keylogger

Snake Keylogger payload

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6