Overview

overview

10

Static

static

3

82437d591c...68.exe

windows7-x64

10

82437d591c...68.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    06c37734836632ea2a4174128eb1f1d30e6d71bffbaf86fc2587d67014468a45

  • Size

    473KB

  • Sample

    240417-p14zxafg66

  • MD5

    4d034195c4945d7398c8d040abc35eaf

  • SHA1

    a4bfb9d261c995463d4594432c88fceac907f9ce

  • SHA256

    06c37734836632ea2a4174128eb1f1d30e6d71bffbaf86fc2587d67014468a45

  • SHA512

    55311d069d25d27c056c2d2d38c0485a3f4787f52309626ef1262c3a02dbd0b22a948517fe44a213fe8969cb1b09eb8c5e5d9444b0527cccba38803ec91ed48a

  • SSDEEP

    12288:nnsfOB8nEPZkvZ6oXm5cDxFDDKcJh+9Ls1G4Jrx:sGGnEP+R6owcTlJsVsggrx

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.daipro.com.mx
  • Port:
    587
  • Username:
    contabilidad@daipro.com.mx
  • Password:
    DAIpro123**
  • Email To:
    saleseuropower1@yandex.com
C2

http://varders.kozow.com:8081

http://aborters.duckdns.org:8081

http://anotherarmy.dns.army:8081

Targets

    • Target

      82437d591c16fcea83cd315465f5a67babb899186a4f8d464a7609ef8ae88468.exe

    • Size

      800KB

    • MD5

      9b7a1803cad3e79cb6449558d5ce938f

    • SHA1

      736f009ef8e35886fe5b0445e41dd4e6446352a7

    • SHA256

      82437d591c16fcea83cd315465f5a67babb899186a4f8d464a7609ef8ae88468

    • SHA512

      ddd19913a03d77b8abf58e5b351c5e24d887f8f769977a2cd69180353eb24d9c79b95ed4a4270a9f74f37a4badf4fcdddcc33b8d95bca267e2d0fae42d07a524

    • SSDEEP

      12288:wIXp2Ser4ask2HB+zF9TjnMbvafmszcTL13Ziw0GNERbbIp7h:4PskpPnU3ZiBGNERbbI9h

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks