snakekeylogger | e304f7bd1dcd5e4dd77baaa2a88daf2d7885eac6ce577b497bfae9c3636015d5

General

Target

72dd3abc3cebc1245b26cebe7c117b2b
Size

1.7MB
Sample

240124-z1wzeahag4
MD5

72dd3abc3cebc1245b26cebe7c117b2b
SHA1

2366f542144cbaf8fa073ffc92fde2c6874bbf45
SHA256

e304f7bd1dcd5e4dd77baaa2a88daf2d7885eac6ce577b497bfae9c3636015d5
SHA512

0e5872283d7719e5e6d41f5b9acbf7b0718ace7d4580f9a3f181b155eba446b75ed8b5ef339d92de168b5dd978d985a304386a1dc7ca8bb5e90d270a708c6ac9
SSDEEP

24576:wUhxVrRRMijyH0oOVp1QeYWn6ShHUOb/06XWBq/g792OiVYUUh0zBWBsH:wwnrryUoOpgW3Z06GBEQrSk8

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
admin@evapimlogs.com
Password:
BkKMmzZ1

Extracted

Family

xloader

Version

2.3

Campaign

ipa8

Decoy

royalposhpups.com

univa.world

lanerbo.com

shopbabygo.com

theutahhomestore.com

serialmixer.icu

linfeiya.com

xn--12cg3de5c2eb5cyi.com

am-conseil-communication.com

dailygame168.com

therightmilitia.com

visions-agency.com

mapopi.com

frugallyketo.com

guapandglo.com

54w-x126v.net

your-health-kick.com

blockchainhub360.com

registernowhd.xyz

votekellykitashima.com

Targets

- Target
  
  Dunes Industries P03356.exe
- Size
  
  1.0MB
- MD5
  
  3ea15007d1dbb5b1ed0714d5c42868dc
- SHA1
  
  a3b512dbdd64c9e822dcdd3f16b6297a2e91a2d4
- SHA256
  
  42b7d6c812a0fdefa87e7d48c1170babffe26932c12ea2037ea7161c2061c724
- SHA512
  
  c1c1e59e9bfed230ec7e9f4cdec261307e0eb889788acd2966f4a6973d9d8262ff40974687a4fede179320b05383147ee4316debab3781467b07db5015b42aaa
- SSDEEP
  
  12288:Q3vll2iNIGnXcjcx1zaHiYmn2TsH2iJBAy3olSHB3xU5z/qphBqCz:K1qYXePm2jo8uVuqdq
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Dunes Industries P03356202114.exe
- Size
  
  1.0MB
- MD5
  
  d4ea38bc35cb738b29f73e6750923a95
- SHA1
  
  8a4d5b7fa21b73f189b82565e3748368148b6a26
- SHA256
  
  3edf6811850efc722b39737bf3623a42127e728f0c32a0a6ab7c66044838d307
- SHA512
  
  b72774638a4dd856220117dc9f29bacf0166db6519ecd1f023a446829d403715d6b4a2d8bbb9783b32e412376194e63368a300d1ac326e440c40d9ff6128d958
- SSDEEP
  
  12288:xVo8KtS2iNQ3HIKYl/jNCr65sT9BE0U7EA/CU1McIJca:oS1sYlZ5sT920w91M3
Score

10^/10

xloader ipa8 loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Snake Keylogger

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Xloader

Xloader payload

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4