snakekeylogger | d05122420275a66f7914f25e90de66b6043f729def693f0a4f694d858ba8e10d

General

Target

d05122420275a66f7914f25e90de66b6043f729def693f0a4f694d858ba8e10d
Size

345KB
Sample

240417-r6bxescg57
MD5

bad7c54459da9da169703503589d7c49
SHA1

5fd2a22eedf87cec1ce1f4ec15a26ef03e2b8590
SHA256

d05122420275a66f7914f25e90de66b6043f729def693f0a4f694d858ba8e10d
SHA512

dd77de9b8b9797b11c19301e481e7bde6188c36243c56ff392ffc00f90940f8dd7672695215d744fa73e6567b70fb3e6b92e8e07e09735c87905b02899612885
SSDEEP

6144:cv9qsqeiMjBw2KVlYqC1sb3IseQYPcszlL5EesB7WfB5q0FJd7v57hbKtFi0ffne:cvYsdy2klV5IsIzR0MB5q03NrO7i0fG

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.daipro.com.mx
Port:
25
Username:
[email protected]
Password:
DAIpro123*
Email To:
[email protected]

C2

http://varders.kozow.com:8081

http://aborters.duckdns.org:8081

http://anotherarmy.dns.army:8081

Targets

- Target
  
  289bddc892160e8976bc0b7e91c76611cfcc9deb51ef25f5a4af387018820d30.exe
- Size
  
  456KB
- MD5
  
  466461a5fe597e86a5d73349b4fe2c33
- SHA1
  
  235ce3dd7563c831e92cbdcbf02f4b59a5e82f02
- SHA256
  
  289bddc892160e8976bc0b7e91c76611cfcc9deb51ef25f5a4af387018820d30
- SHA512
  
  ce546aedcfcf3307c1d1583a00a29585e7e91f193e09c89cc5b820510ad1fcdd15ec09d10d060b9ce9cd04b734be8ccecd9268f38a0c00e2041c078475cca2ab
- SSDEEP
  
  12288:yC49w9aUuO56buMhH72uWMF8iugJy1Tf:y192//yuu72ub8iLG
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Snake Keylogger

Snake Keylogger payload

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2