General

  • Target

    1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990.exe

  • Size

    949KB

  • Sample

    240503-bkbfrsbc6z

  • MD5

    d20ba9548abd76ba228729949f845e59

  • SHA1

    55d97abeb438e0c4aec352523f10ec3c9d773a8c

  • SHA256

    1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990

  • SHA512

    b93e904be969091299e76cba66ef8f300fb4867847c579f58f43386f57674049ee0ba743f4a2827b7caf77c924ab840145dab0ab882bd2c2e899dd6f69dcb8b6

  • SSDEEP

    12288:U1P60g/mCJJLRfimNQUWiUwoZ3VZ5K7nKhFSFlSP:U1PBgeCfRRNVT0nY7nO0l

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990.exe

    • Size

      949KB

    • MD5

      d20ba9548abd76ba228729949f845e59

    • SHA1

      55d97abeb438e0c4aec352523f10ec3c9d773a8c

    • SHA256

      1884a949e9068ffe0dd84be7644cd3a8fe320542252e533ce1d2214f79b50990

    • SHA512

      b93e904be969091299e76cba66ef8f300fb4867847c579f58f43386f57674049ee0ba743f4a2827b7caf77c924ab840145dab0ab882bd2c2e899dd6f69dcb8b6

    • SSDEEP

      12288:U1P60g/mCJJLRfimNQUWiUwoZ3VZ5K7nKhFSFlSP:U1PBgeCfRRNVT0nY7nO0l

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables with potential process hoocking

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks