General

  • Target

    672047c9f1f92700303fa90df3ecce9faf67138888eedce5fd47a599120e0ec5.exe

  • Size

    1.1MB

  • Sample

    240503-b5wmfaca2t

  • MD5

    229fe47707cccda45c6af54be6b852f1

  • SHA1

    a4657bc7114efcba18cf8293797f2c389e3f125f

  • SHA256

    672047c9f1f92700303fa90df3ecce9faf67138888eedce5fd47a599120e0ec5

  • SHA512

    984cdf2fb4c2797f112c94370d0d9bfaf67bcd5603390a1d2d6717f0fbe73734f7de207582cfb1facdc36ccd9ce54539318c0c0ff17d71b464e0c586d9e1019a

  • SSDEEP

    12288:nZxMPV/hEq2iNVNeU+U6+B1MLAzPDnIzOgqEnACusmKAbJE+/kBeWFm+IPaxuoU:IPpN1gj+B1X8zOGcsPAr/wRFm+I

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      672047c9f1f92700303fa90df3ecce9faf67138888eedce5fd47a599120e0ec5.exe

    • Size

      1.1MB

    • MD5

      229fe47707cccda45c6af54be6b852f1

    • SHA1

      a4657bc7114efcba18cf8293797f2c389e3f125f

    • SHA256

      672047c9f1f92700303fa90df3ecce9faf67138888eedce5fd47a599120e0ec5

    • SHA512

      984cdf2fb4c2797f112c94370d0d9bfaf67bcd5603390a1d2d6717f0fbe73734f7de207582cfb1facdc36ccd9ce54539318c0c0ff17d71b464e0c586d9e1019a

    • SSDEEP

      12288:nZxMPV/hEq2iNVNeU+U6+B1MLAzPDnIzOgqEnACusmKAbJE+/kBeWFm+IPaxuoU:IPpN1gj+B1X8zOGcsPAr/wRFm+I

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables with potential process hoocking

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks