snakekeylogger | 301271b7db09d4769df8953807ea16c44578a4c4b92ef50f24da27c144f95522

General

Target

301271b7db09d4769df8953807ea16c44578a4c4b92ef50f24da27c144f95522.exe
Size

623KB
Sample

240328-clkaqsch8v
MD5

90a34e7d570fa7c219eb5f1f193611ba
SHA1

0d5d3955b04174b8f21c7bdd8d80ff21507e409c
SHA256

301271b7db09d4769df8953807ea16c44578a4c4b92ef50f24da27c144f95522
SHA512

75177b9ddf945e4dc46fb20174385faddfc569ea99cc095d1e1f9f4a96b9accc7dfcc1f6a1bd15d5740438e8ef63784ce870dfb3ea8d8c5387cc652324ace955
SSDEEP

12288:npahc5sgNxUQx/rYquAfVCto8UHv/9EeRxDVl5nX:nZsgbFkq2tNUHDFVXX

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.daipro.com.mx
Port:
587
Username:
contabilidad@daipro.com.mx
Password:
DAIpro123**
Email To:
saleseuropower1@yandex.com

C2

https://scratchdreams.tk

Targets

- Target
  
  301271b7db09d4769df8953807ea16c44578a4c4b92ef50f24da27c144f95522.exe
- Size
  
  623KB
- MD5
  
  90a34e7d570fa7c219eb5f1f193611ba
- SHA1
  
  0d5d3955b04174b8f21c7bdd8d80ff21507e409c
- SHA256
  
  301271b7db09d4769df8953807ea16c44578a4c4b92ef50f24da27c144f95522
- SHA512
  
  75177b9ddf945e4dc46fb20174385faddfc569ea99cc095d1e1f9f4a96b9accc7dfcc1f6a1bd15d5740438e8ef63784ce870dfb3ea8d8c5387cc652324ace955
- SSDEEP
  
  12288:npahc5sgNxUQx/rYquAfVCto8UHv/9EeRxDVl5nX:nZsgbFkq2tNUHDFVXX
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables with potential process hoocking
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Snake Keylogger

Snake Keylogger payload

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables with potential process hoocking

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2