General

  • Target

    45a1b2c7883a95776966abbe942254055d36890f9aeaa4c78e18f86046d1600c.exe

  • Size

    1024KB

  • Sample

    240521-bk433sdf9y

  • MD5

    2e488e75f59f35f2a52e403254f6ac4b

  • SHA1

    f9631fd13ce8fefe5f1aee7d638fb6e2a4ae9ac1

  • SHA256

    45a1b2c7883a95776966abbe942254055d36890f9aeaa4c78e18f86046d1600c

  • SHA512

    1df825813bf3e78b2c7f52e3315dffe1906ae61ff168dd834384180b644a73152f0e4e3905859e4511c13c56d654890e8dd34b04140ce93c907a9113c9452271

  • SSDEEP

    24576:WSu1S82mBVrIiudqjgKJrgKCC9Uy77C/:WSuU82mTV7gKJNZ9J

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://scratchdreams.tk

Targets

    • Target

      45a1b2c7883a95776966abbe942254055d36890f9aeaa4c78e18f86046d1600c.exe

    • Size

      1024KB

    • MD5

      2e488e75f59f35f2a52e403254f6ac4b

    • SHA1

      f9631fd13ce8fefe5f1aee7d638fb6e2a4ae9ac1

    • SHA256

      45a1b2c7883a95776966abbe942254055d36890f9aeaa4c78e18f86046d1600c

    • SHA512

      1df825813bf3e78b2c7f52e3315dffe1906ae61ff168dd834384180b644a73152f0e4e3905859e4511c13c56d654890e8dd34b04140ce93c907a9113c9452271

    • SSDEEP

      24576:WSu1S82mBVrIiudqjgKJrgKCC9Uy77C/:WSuU82mTV7gKJNZ9J

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables with potential process hoocking

    • UPX dump on OEP (original entry point)

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks