snakekeylogger | 5f8e6d5fd79a5a648e42597881ddf5e418be34a81b678b9742fad39d6b74c298

General

Target

5f8e6d5fd79a5a648e42597881ddf5e418be34a81b678b9742fad39d6b74c298.exe
Size

834KB
Sample

240425-bypwbada7x
MD5

ff53d6a04ea8618890f7a81e31bd8a22
SHA1

d804959bcb8a2ea43278a1f78aac8abede4fa62f
SHA256

5f8e6d5fd79a5a648e42597881ddf5e418be34a81b678b9742fad39d6b74c298
SHA512

fb1830954a5568b13448fc3326a66b7730081cc432aeca6de3cefde5b3ee7f44a9fe95c8d8ec53bbd293be3f931f0dcc890bf3c612593d07d897c6939cddce45
SSDEEP

12288:WUF9WM9gnUHf/6JCh+bLNftlDcaxlCcjbAf:WU2M9gUHf/6tLTlYklCQbA

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.agmfilter.com
Port:
587
Username:
s.reyhani@agmfilter.com
Password:
sibelr_63017
Email To:
draftreport@yahoo.com

C2

https://scratchdreams.tk

Targets

- Target
  
  5f8e6d5fd79a5a648e42597881ddf5e418be34a81b678b9742fad39d6b74c298.exe
- Size
  
  834KB
- MD5
  
  ff53d6a04ea8618890f7a81e31bd8a22
- SHA1
  
  d804959bcb8a2ea43278a1f78aac8abede4fa62f
- SHA256
  
  5f8e6d5fd79a5a648e42597881ddf5e418be34a81b678b9742fad39d6b74c298
- SHA512
  
  fb1830954a5568b13448fc3326a66b7730081cc432aeca6de3cefde5b3ee7f44a9fe95c8d8ec53bbd293be3f931f0dcc890bf3c612593d07d897c6939cddce45
- SSDEEP
  
  12288:WUF9WM9gnUHf/6JCh+bLNftlDcaxlCcjbAf:WU2M9gUHf/6tLTlYklCQbA
Score

10^/10

snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables with potential process hoocking
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Snake Keylogger

Snake Keylogger payload

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables with potential process hoocking

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2