snakekeylogger | eba6e6e51c6065bff9275f0a042e84c417bb4e853db80b9eeb770da1839e2019 | Triage

Sharing

General

Target

eba6e6e51c6065bff9275f0a042e84c417bb4e853db80b9eeb770da1839e2019.rar
Size

600KB
Sample

240724-d3t2yaygng
MD5

a6b6cf21eb7f1fb7ab82f594a0117c60
SHA1

3996adbe87944c0a1182800e851c8a7824cc1203
SHA256

eba6e6e51c6065bff9275f0a042e84c417bb4e853db80b9eeb770da1839e2019
SHA512

f7ef64a58d90f0af31fa0d698dc7aed52ba4d41721b35a2f1787baa54c8b5fbefd50046f3e438efe67315de5fb04b757c8e4be10206c83c5ccf16c67694ddbb5
SSDEEP

12288:C1Cf+sAYQBcfHePeMs+VQllSiu/kunC32RfGqkMi6WUX:CA+vYQBeH++qiucuCHdrUX

Score

10^/10

snakekeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.remfryson.com
Port:
587
Username:
[email protected]
Password:
CnG_23*NMA

Targets

- Target
  
  TT0122401111- Debit Advise.exe
- Size
  
  674KB
- MD5
  
  2680410bfc9c9969731353ab7b415147
- SHA1
  
  c84587d67247bb6792dba5f28feb5a86c0a714b1
- SHA256
  
  ba1acfe71edd389ce10a570ffe0f766573229384d9606b0700099c352994b4ee
- SHA512
  
  0e9eb4105ee94a147c17c11530d5989fd1868f91e50fdb8cd8f51ef7d3f73d6a40f937a6446b3461281dd49f60a5ca735970fa5f9f9ae20f081032066b4cdc51
- SSDEEP
  
  12288:X/+2iNxAypLcLJtyEpCvDcghpwPESeWdCh0KVgy5L0KXyV24:X/+1bAypctyEpUhpNn0KCrKXyw
Score

10^/10

discovery snakekeylogger execution keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggerdiscoveryexecutionkeyloggerstealer