snakekeylogger | 8980e6e2628b4103f4e3e0b01365a5e9a7df6e38c067c93633371c94b3d5dd34

General

Target

8980e6e2628b4103f4e3e0b01365a5e9a7df6e38c067c93633371c94b3d5dd34.exe
Size

949KB
Sample

240425-b5cjkada72
MD5

384c4da2b75f4c7a1fa5585bc07634e6
SHA1

27d368536af080b92d543f9c24af8596cc0edd6d
SHA256

8980e6e2628b4103f4e3e0b01365a5e9a7df6e38c067c93633371c94b3d5dd34
SHA512

6b7919c2cb1a0900dad45b9d0a44aa7b7ff20a24cad142704978f3737f16ee5df0c3b9d2b1c5de05a0e565a9dfe591a82e7706eeda98c818d7a2840050f160b1
SSDEEP

12288:mF2iNryhiHr2JXAfykubkHwObkzi4pYv0lv312Z3:mF1lyhiHrAXAaXbkHwZ1qMJ312Z

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.agmfilter.com
Port:
587
Username:
s.reyhani@agmfilter.com
Password:
sibelr_63017
Email To:
draftreport@yahoo.com

C2

https://scratchdreams.tk

Targets

- Target
  
  8980e6e2628b4103f4e3e0b01365a5e9a7df6e38c067c93633371c94b3d5dd34.exe
- Size
  
  949KB
- MD5
  
  384c4da2b75f4c7a1fa5585bc07634e6
- SHA1
  
  27d368536af080b92d543f9c24af8596cc0edd6d
- SHA256
  
  8980e6e2628b4103f4e3e0b01365a5e9a7df6e38c067c93633371c94b3d5dd34
- SHA512
  
  6b7919c2cb1a0900dad45b9d0a44aa7b7ff20a24cad142704978f3737f16ee5df0c3b9d2b1c5de05a0e565a9dfe591a82e7706eeda98c818d7a2840050f160b1
- SSDEEP
  
  12288:mF2iNryhiHr2JXAfykubkHwObkzi4pYv0lv312Z3:mF1lyhiHrAXAaXbkHwZ1qMJ312Z
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables with potential process hoocking
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Snake Keylogger

Snake Keylogger payload

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables with potential process hoocking

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2