General
-
Target
CV-JOB REQUEST.exe
-
Size
515KB
-
Sample
240906-g5hcps1bnl
-
MD5
6d482d6979ff13a56f0dd2223237c40c
-
SHA1
627f46fcb0452340b74908696c8ad334097fd4a2
-
SHA256
b5d65c04a01dd0fe41a85f37d2e221651def9ebff8d315631dfaa48d40afd210
-
SHA512
ac2a5e933ed57a353bce661ab55244010541b60384846c8dcb209c1d4aec95a1ad4264788ce5ef42be5c8ff62938bdbd96c1e9fad89ef5e7b53da28cc8de1c3c
-
SSDEEP
12288:WidzH/9cHIwNt4tdLk5guhUehzeBRtbXCbXZAInv0wMrxlYu8F1nQPD0RfvE5q:WumNytdLkAHyzZPnclrTYVnR05q
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.laboratoriosvilla.com.mx - Port:
587 - Username:
[email protected] - Password:
WZ,2pliw#L)D - Email To:
[email protected]
Targets
-
-
Target
CV-JOB REQUEST.exe
-
Size
515KB
-
MD5
6d482d6979ff13a56f0dd2223237c40c
-
SHA1
627f46fcb0452340b74908696c8ad334097fd4a2
-
SHA256
b5d65c04a01dd0fe41a85f37d2e221651def9ebff8d315631dfaa48d40afd210
-
SHA512
ac2a5e933ed57a353bce661ab55244010541b60384846c8dcb209c1d4aec95a1ad4264788ce5ef42be5c8ff62938bdbd96c1e9fad89ef5e7b53da28cc8de1c3c
-
SSDEEP
12288:WidzH/9cHIwNt4tdLk5guhUehzeBRtbXCbXZAInv0wMrxlYu8F1nQPD0RfvE5q:WumNytdLkAHyzZPnclrTYVnR05q
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-