snakekeylogger | 365b8dab76c07e3c7ea3cd4a9d683265db5210b6b9a30e9dc520f358b829d30d | Triage

Sharing

General

Target

inquiry#1523.exe
Size

82KB
Sample

240910-qc1s1sxakf
MD5

af2b325becf3f12462529b961699557a
SHA1

88da506a656c9ba9615e4134234084bd5c6c086f
SHA256

365b8dab76c07e3c7ea3cd4a9d683265db5210b6b9a30e9dc520f358b829d30d
SHA512

114e5bae2cf466ae6d7ace9728cac19e738dd5aa532df07b082d42fab22b7a2f286a606a6c476d4cbbea6c8f14804e300ca0e76d634e75ba22c0a8fecc6dad96
SSDEEP

768:v632KhVO49eYJBvmCcQw5cEpYinAMxEP:ymKP9JBvmnQG17HxE

Score

10^/10

snakekeylogger collection credential_access discovery keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
jertcot.shop
Port:
587
Username:
[email protected]
Password:
OxMHQMpgDVzU
Email To:
[email protected]

Targets

- Target
  
  inquiry#1523.exe
- Size
  
  82KB
- MD5
  
  af2b325becf3f12462529b961699557a
- SHA1
  
  88da506a656c9ba9615e4134234084bd5c6c086f
- SHA256
  
  365b8dab76c07e3c7ea3cd4a9d683265db5210b6b9a30e9dc520f358b829d30d
- SHA512
  
  114e5bae2cf466ae6d7ace9728cac19e738dd5aa532df07b082d42fab22b7a2f286a606a6c476d4cbbea6c8f14804e300ca0e76d634e75ba22c0a8fecc6dad96
- SSDEEP
  
  768:v632KhVO49eYJBvmCcQw5cEpYinAMxEP:ymKP9JBvmnQG17HxE
Score

10^/10

discovery persistence snakekeylogger collection credential_access keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

snakekeyloggercollectioncredential_accessdiscoverykeyloggerpersistencestealer