snakekeylogger | e0373c3ce75d84a7a083c330250a6ad3a6705ac9bad84353bd7bc40dd3f2a66f

General

Target

d6cb12c81a7f4d29e096f01c0726eccf_JaffaCakes118
Size

775KB
Sample

240909-v3j1easfnh
MD5

d6cb12c81a7f4d29e096f01c0726eccf
SHA1

a253daac9efe283704c1b679843770c7d4ac3f3e
SHA256

e0373c3ce75d84a7a083c330250a6ad3a6705ac9bad84353bd7bc40dd3f2a66f
SHA512

c65101c6e8c0524d2fb2eec85ad09f6bc836f4b623e70de5b6bed3a14b34c42ea4e624bf3f459a4da37ac514c1836a8d013b86b648bd78be4749a65a09454d6d
SSDEEP

12288:saN1oFW+sGm2L+cf6Af1SjLX562pNJLS7rtQAPjuujP84Ke7/QHD8Q8WqMS:/N1/+9f6AfycWNwntQTOKcQ4Q8Wqv

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1357208205:AAHe7ESnNG33RDuS0vA69tSObcJ_JTRB3K8/sendMessage?chat_id=1290383449

Targets

- Target
  
  d6cb12c81a7f4d29e096f01c0726eccf_JaffaCakes118
- Size
  
  775KB
- MD5
  
  d6cb12c81a7f4d29e096f01c0726eccf
- SHA1
  
  a253daac9efe283704c1b679843770c7d4ac3f3e
- SHA256
  
  e0373c3ce75d84a7a083c330250a6ad3a6705ac9bad84353bd7bc40dd3f2a66f
- SHA512
  
  c65101c6e8c0524d2fb2eec85ad09f6bc836f4b623e70de5b6bed3a14b34c42ea4e624bf3f459a4da37ac514c1836a8d013b86b648bd78be4749a65a09454d6d
- SSDEEP
  
  12288:saN1oFW+sGm2L+cf6Af1SjLX562pNJLS7rtQAPjuujP84Ke7/QHD8Q8WqMS:/N1/+9f6AfycWNwntQTOKcQ4Q8Wqv
Score

10^/10

snakekeylogger collection credential_access discovery keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fccff8cb7a1067e23fd2e2b63971a8e1
- SHA1
  
  30e2a9e137c1223a78a0f7b0bf96a1c361976d91
- SHA256
  
  6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
- SHA512
  
  f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
- SSDEEP
  
  192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  n7m28sh5h6ikf7y.dll
- Size
  
  11KB
- MD5
  
  ddfdc9409a8f3085a4c5baafd9f08d02
- SHA1
  
  ea5fd42e6a0490eb35d29410c9b21d2b19249ad0
- SHA256
  
  aed5089196f2cb89f01a2ac3a5927cf84903aec87d886a40f8c3b02120309acd
- SHA512
  
  8e07676bd99b223eca8ea2d4f02e07f56f99bdebd231c44374474fe9416bdf4dd6f9c87e36fdf7497e8192adacf0418200298d1b93cc079c2efe75f46a6cbb1f
- SSDEEP
  
  192:BT0pIkqEwCLqEujEzuQpcBGV4YW1xEa0OPuuwW4:vkwE/1pX4516IGuw
Score

3^/10

discovery
behavioral5 behavioral6