General

  • Target

    d46066c4c4bd510c11a5d4ee6e23ff0e2fdb7d5d716aceb9671caa3e679800b1.exe

  • Size

    871KB

  • Sample

    240501-ceweesde2y

  • MD5

    c766a45151c2a9b0879095062dc566fe

  • SHA1

    c9587ac978a75933670dd94c3766e635afeed2e8

  • SHA256

    d46066c4c4bd510c11a5d4ee6e23ff0e2fdb7d5d716aceb9671caa3e679800b1

  • SHA512

    a4739518995fc074d493bfe392d752f130353b47704d20bed767283dc46996b09bbc15e31ce0570aca33d2b9d1790c462895c651ae7c751edc3c4cfa464fc67e

  • SSDEEP

    12288:M+DbgRB778Qep6Yqvc8kSUfc69rROSI6nlFu6kOnnOebN:lgRBIRKc8kSUfHHI56kx0

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      d46066c4c4bd510c11a5d4ee6e23ff0e2fdb7d5d716aceb9671caa3e679800b1.exe

    • Size

      871KB

    • MD5

      c766a45151c2a9b0879095062dc566fe

    • SHA1

      c9587ac978a75933670dd94c3766e635afeed2e8

    • SHA256

      d46066c4c4bd510c11a5d4ee6e23ff0e2fdb7d5d716aceb9671caa3e679800b1

    • SHA512

      a4739518995fc074d493bfe392d752f130353b47704d20bed767283dc46996b09bbc15e31ce0570aca33d2b9d1790c462895c651ae7c751edc3c4cfa464fc67e

    • SSDEEP

      12288:M+DbgRB778Qep6Yqvc8kSUfc69rROSI6nlFu6kOnnOebN:lgRBIRKc8kSUfHHI56kx0

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables with potential process hoocking

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks