snakekeylogger | 1a4986d0910fe8a7a4c54d6cc8945eb3c8d6e47e6d22f0106447ac60e3a00b13 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

68b63bf9014e35fd9d8c620efde3780f_JaffaCakes118
Size

1.8MB
Sample

240723-yqc8wavdnq
MD5

68b63bf9014e35fd9d8c620efde3780f
SHA1

c434a65f3b02283434d632f326a981e3f4837b44
SHA256

1a4986d0910fe8a7a4c54d6cc8945eb3c8d6e47e6d22f0106447ac60e3a00b13
SHA512

f66cd815837d7b8a1067771bb5c293b6748a6521db8ae3d8721ffe3013dd3ff63e88a9763a328ca64142658b0e34b5f20fc9029c80d87a005c47faaf1ff4534e
SSDEEP

12288:NJ3X8mSiH1rKl/yLrXoWbd7elD3E7SvE2mvnVfP3ByxbE/wT1eNG:NJllVrKlyLrXoUL7SvOvBZyG45

Score

10^/10

snakekeylogger collection credential_access discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://bitrix370.timeweb.ru/
Port:
21
Username:
cn94754
Password:
c2eitfpidhgS

Targets

- Target
  
  RFQ for Quotation for PIPES, FITTINGS & FLANGES AS ATTACHED MTO.exe
- Size
  
  1.2MB
- MD5
  
  08e24a3d689c7c7a9f4a1d29015be51b
- SHA1
  
  0e314c8fcdfbc88521ddfc80b2984f3d587a982b
- SHA256
  
  9d6c737ffe3b5886f36b9883b3019361fc286845616dc9a757dde4b78901239b
- SHA512
  
  e9c654a054f7c29eab65cefcbc85e1dcdc3feefba28200bfca856b0751b350cb732e147b500038b476ac8f646afe5ba535a08a069feda2d75e3c45c34a9bee6e
- SSDEEP
  
  12288:vJ3X8mSiH1rKl/yLrXoWbd7elD3E7SvE2mvnVfP3ByxbE/wT1eNG:vJllVrKlyLrXoUL7SvOvBZyG45
Score

10^/10

snakekeylogger collection credential_access discovery keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

snakekeyloggercollectioncredential_accessdiscoverykeyloggerstealer

behavioral2

snakekeyloggercollectioncredential_accessdiscoverykeyloggerstealer