General

  • Target

    POT9876540009865.cmd

  • Size

    1.1MB

  • Sample

    240520-gtsdjafd6x

  • MD5

    3f090151eabfcea91b663d395c148dee

  • SHA1

    f18d552111a8f034055cf5c165d9370af83b247b

  • SHA256

    05e6b3a937592100deb5cb064834821eb9cdf994f610b2398302ab3ddca8dbcd

  • SHA512

    a81683a0d62c7038c2a0590ac3da4d54dfb2301cbb94b537daceaebe58d2a530f4d1455a18c4f26ea1bc73b9406476708be01fff8779667ed1a5c6611433bad8

  • SSDEEP

    24576:qSu1S82mBVrIiudqIDyeJBilZqkAzUHl7C:qSuU82mTVeHiikAzUH

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      POT9876540009865.cmd

    • Size

      1.1MB

    • MD5

      3f090151eabfcea91b663d395c148dee

    • SHA1

      f18d552111a8f034055cf5c165d9370af83b247b

    • SHA256

      05e6b3a937592100deb5cb064834821eb9cdf994f610b2398302ab3ddca8dbcd

    • SHA512

      a81683a0d62c7038c2a0590ac3da4d54dfb2301cbb94b537daceaebe58d2a530f4d1455a18c4f26ea1bc73b9406476708be01fff8779667ed1a5c6611433bad8

    • SSDEEP

      24576:qSu1S82mBVrIiudqIDyeJBilZqkAzUHl7C:qSuU82mTVeHiikAzUH

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks