snakekeylogger | 4f3ec860e9371f32df06c6d342b6e16bdc8ad4c08aeeaa8f2a66549750805603

General

Target

4f3ec860e9371f32df06c6d342b6e16bdc8ad4c08aeeaa8f2a66549750805603.exe
Size

344KB
Sample

240808-s738qsvhpn
MD5

ceb0fc229f47b61909ce0e6a68dd191f
SHA1

93862169c62ec357ae869c50e5249fc16bab9cc9
SHA256

4f3ec860e9371f32df06c6d342b6e16bdc8ad4c08aeeaa8f2a66549750805603
SHA512

144d51e428158fc1f0c4b35d49c658f4665ac5a2bf2622aed782dfc87aa45155f9c9e55d79f21abf8a2af5742405d4f3505f158ae2992d63430fa5db1076fb64
SSDEEP

6144:VMm4CCe7+uZAh8J7OPYkexqSiLIQ0QfCqJ6v58FG9bBo6zEJR2X3g38Gn6s9l/cK:VMwAeAdexqSiX0oC9v9b66zSR2HgsGnj

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7197950156:AAHyWbH8kpjv0OHg9kyjLK-uVhbdlEhq_ZQ/sendMessage?chat_id=6873631044

Targets

- Target
  
  4f3ec860e9371f32df06c6d342b6e16bdc8ad4c08aeeaa8f2a66549750805603.exe
- Size
  
  344KB
- MD5
  
  ceb0fc229f47b61909ce0e6a68dd191f
- SHA1
  
  93862169c62ec357ae869c50e5249fc16bab9cc9
- SHA256
  
  4f3ec860e9371f32df06c6d342b6e16bdc8ad4c08aeeaa8f2a66549750805603
- SHA512
  
  144d51e428158fc1f0c4b35d49c658f4665ac5a2bf2622aed782dfc87aa45155f9c9e55d79f21abf8a2af5742405d4f3505f158ae2992d63430fa5db1076fb64
- SSDEEP
  
  6144:VMm4CCe7+uZAh8J7OPYkexqSiLIQ0QfCqJ6v58FG9bBo6zEJR2X3g38Gn6s9l/cK:VMwAeAdexqSiX0oC9v9b66zSR2HgsGnj
Score

10^/10

discovery snakekeylogger collection credential_access keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  08de81a4584f5201086f57a7a93ed83b
- SHA1
  
  266a6ecc8fb7dca115e6915cd75e2595816841a8
- SHA256
  
  4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6
- SHA512
  
  b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9
- SSDEEP
  
  48:S46+/1TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mLofjLl:zHuPbOBtWZBV8jAWiAJCdv2CmeL
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  6e55a6e7c3fdbd244042eb15cb1ec739
- SHA1
  
  070ea80e2192abc42f358d47b276990b5fa285a9
- SHA256
  
  acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
- SHA512
  
  2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
- SSDEEP
  
  192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
Score

3^/10

discovery
behavioral5 behavioral6