General

  • Target

    PO 18291 - PO 18292.exe

  • Size

    567KB

  • Sample

    240502-kknkrsfd83

  • MD5

    1fb717b10b585fdbf8cd3b3ff8df7e2e

  • SHA1

    8a2884f7a6de3d3b495adf2c35ef52ee76d20287

  • SHA256

    4ffdb2ec820fcc5ab2bc290fba2917c75d7cc0620beeb8def7bcbe80c31e319a

  • SHA512

    50639423070015bf5a024e2807866c824833b8b633c20ab56150bbc7a9aa99688f9076cb8f31b07ed3b662758fca36ab6bcc157363534fa8d6cc1c6c92d3e47c

  • SSDEEP

    12288:6UY2iNdlyvOF3CCzH712fbdq/IJjStjn2v/ZnQ:Q1PlyvON1zH7wsQkT2m

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      PO 18291 - PO 18292.exe

    • Size

      567KB

    • MD5

      1fb717b10b585fdbf8cd3b3ff8df7e2e

    • SHA1

      8a2884f7a6de3d3b495adf2c35ef52ee76d20287

    • SHA256

      4ffdb2ec820fcc5ab2bc290fba2917c75d7cc0620beeb8def7bcbe80c31e319a

    • SHA512

      50639423070015bf5a024e2807866c824833b8b633c20ab56150bbc7a9aa99688f9076cb8f31b07ed3b662758fca36ab6bcc157363534fa8d6cc1c6c92d3e47c

    • SSDEEP

      12288:6UY2iNdlyvOF3CCzH712fbdq/IJjStjn2v/ZnQ:Q1PlyvON1zH7wsQkT2m

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks