General

  • Target

    793460b94805267b615010b3ef130e31

  • Size

    635KB

  • Sample

    240127-ee7hssebfp

  • MD5

    793460b94805267b615010b3ef130e31

  • SHA1

    a01ba1174de57830b725c597400478b9929c07d1

  • SHA256

    64e873c870ebd93ef9616bfd9c774dbe12dd80fe69f41ecad14f5d437f95f4db

  • SHA512

    88f83545bebbceffe44356c3e3505b01c08de51c1c801ef2182cc4341a2e9fb2d4f8fdac05ef5ea90ffa4529a2e4ca9b282692b7eb4763f9aed284c4401feb5d

  • SSDEEP

    12288:n/M6SVzKubzm8aDaRrSNqieKGJt5AstGlOFdkJ6w+cSiJ5TBS1Y1:nRk+ubqaRiJGJt6QGM1w0U58U

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    BkKMmzZ1

Targets

    • Target

      Bank slip .jpg.exe

    • Size

      1.0MB

    • MD5

      3ea15007d1dbb5b1ed0714d5c42868dc

    • SHA1

      a3b512dbdd64c9e822dcdd3f16b6297a2e91a2d4

    • SHA256

      42b7d6c812a0fdefa87e7d48c1170babffe26932c12ea2037ea7161c2061c724

    • SHA512

      c1c1e59e9bfed230ec7e9f4cdec261307e0eb889788acd2966f4a6973d9d8262ff40974687a4fede179320b05383147ee4316debab3781467b07db5015b42aaa

    • SSDEEP

      12288:Q3vll2iNIGnXcjcx1zaHiYmn2TsH2iJBAy3olSHB3xU5z/qphBqCz:K1qYXePm2jo8uVuqdq

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks