General

  • Target

    DNXS-04-22.r00

  • Size

    563KB

  • Sample

    240502-hdc5cabe5x

  • MD5

    0631b86954d8aec9ba4ba2a3e5559308

  • SHA1

    0dbeac26e3613a5199017462eb82afde50ed7cb9

  • SHA256

    d277ba57d3831278f510a9eaf1e520e1476547c27654cd2cf6b73c04ea947bc1

  • SHA512

    462da4a789d1ae7ce7d3d91fb3d8823b716d4f7d954d9d7f2c2309eba8e2704a2fe190415a3abacec76df69a358ecd7b4cdf4dfd0eee156c34caa9a4ae84dd3a

  • SSDEEP

    12288:XSDAzfWE94WGdO6VzcARXSB9EpGPfRE0oPkthjWFhepl:XSDA7Wu8dyukfRERPkg8l

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      DNXS-04-22.exe

    • Size

      868KB

    • MD5

      64932c473d74fbdfdb706a094543cf37

    • SHA1

      f19b8960681b56cab45a9f14871108cf4d522251

    • SHA256

      8b9dedaa09d239667dd9cabe0c7efab61712868b32ebb3a50110df8980823ce9

    • SHA512

      1f662c50b378e5be0dc6faec894fb7266417b5ac2952583efdb6801f873bd5c52e3a6d8d001491ee668c1142456ef33d606f2be7be6749840ac819b70d0023dd

    • SSDEEP

      12288:y2iNzeWFm+1okFwe6N9LtinuoFZK4s5ehC3s5IrA6tN/uYiXdwsh:y1tRFm+1okFPOtT4OgC3s5IlNxi

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks