snakekeylogger | 7ea280179e136a1a753cddc73123975a77ac32ddf48ac9a033513dfe99a9a52e

General

Target

7ea280179e136a1a753cddc73123975a77ac32ddf48ac9a033513dfe99a9a52e
Size

243KB
Sample

240417-r5cgkacf88
MD5

88969f9a4697e9d6d70174cd0db26cb6
SHA1

c6eb45764761461bd6569eb8537daf4040054bd9
SHA256

7ea280179e136a1a753cddc73123975a77ac32ddf48ac9a033513dfe99a9a52e
SHA512

25ed3d8f4214ce2f71b5893efd0ac5a92ad37a85e57319670320e1e9c1adecd5c2a6b84a0aa33ce16209a4cd5c85b1345226b4cd2ad1eb294fdb4b81ca75c0c0
SSDEEP

6144:fI+KsMUOO1wfojcecJia9fHZJew3VVKBwCGlbdlS:ZO4wfo8iuHZEgVeyTS

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6180860165:AAH5meoxRqYOnd7z0M_zkiqQ7pmOf_hbrUY/sendMessage?chat_id=6077046490

Targets

- Target
  
  1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c.exe
- Size
  
  269KB
- MD5
  
  3c707a76b1c6c53e381e5da078ce8997
- SHA1
  
  6ac3522f2ca5016163e4628dd34540ac9c265d98
- SHA256
  
  1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c
- SHA512
  
  61972ebeb909ef6fd0b06c4a3c0dd253214a374da8be8f3992a9bd083e68c2eab1a98db4f28c2d5c4c1017182b738674bdfa64b7e0c6d7b00819b65e00d275bd
- SSDEEP
  
  6144:KYa6wCcfGAtjzSSWr+LL97alHLpS9pzEYzUUG3Z:KYGCcOAtjzSbrYwlHLYGU0
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  hzwixydpga.exe
- Size
  
  58KB
- MD5
  
  a125ad645e6565297bab29355475dbad
- SHA1
  
  0c1b472760f288c6a31181165f2ceef63ea69fae
- SHA256
  
  0c69de10bce3bbdea0a2db0caf5a79b3864d4d4da59bcae89f08e5b468350681
- SHA512
  
  e1dbbfcd03c5f531dd03a0b929249c44fb85838de057c8983de7ce243dd4fe5393c50d4ddf22aa15d4817c1fddb53b4764bc85f3bac47962809c7f74a69a55fe
- SSDEEP
  
  768:vFX1hE9FCuqS+dUUo6RoQ7tuSbYuIEfM5I+gI+27rN8cxcNKw2WsUfeWacM:NXo92S+dUwRjlj+vn1c
Score

3^/10
behavioral3 behavioral4