General

  • Target

    0d5548b7d4696c67dba1d5bb827285ed2d3846fd0ad28140c198ad9c467f1bb0.exe

  • Size

    942KB

  • Sample

    240504-bex3kshc7x

  • MD5

    c62da7a3eac6bae78ea8a771faa65d17

  • SHA1

    302984629aa44746a3e8b832c4fcacabcc585aaa

  • SHA256

    0d5548b7d4696c67dba1d5bb827285ed2d3846fd0ad28140c198ad9c467f1bb0

  • SHA512

    8e534c1e0d80757c9b8d02895f67d0ac46c15dd3f5fd418e4482859c8252f64bc0dff4d436da1af81db37d1593a0430d30562e74a1f8e845b030aa4f421c5add

  • SSDEEP

    12288:MSYxUeoUKT5lmvV9fGRaBeUBSMUkA4zcL4pLou:gz45lmdlIaHBokA1L4j

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      0d5548b7d4696c67dba1d5bb827285ed2d3846fd0ad28140c198ad9c467f1bb0.exe

    • Size

      942KB

    • MD5

      c62da7a3eac6bae78ea8a771faa65d17

    • SHA1

      302984629aa44746a3e8b832c4fcacabcc585aaa

    • SHA256

      0d5548b7d4696c67dba1d5bb827285ed2d3846fd0ad28140c198ad9c467f1bb0

    • SHA512

      8e534c1e0d80757c9b8d02895f67d0ac46c15dd3f5fd418e4482859c8252f64bc0dff4d436da1af81db37d1593a0430d30562e74a1f8e845b030aa4f421c5add

    • SSDEEP

      12288:MSYxUeoUKT5lmvV9fGRaBeUBSMUkA4zcL4pLou:gz45lmdlIaHBokA1L4j

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables with potential process hoocking

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks