snakekeylogger | ffb23cc112eda5d6390a899f3185b7e2cd11c31b2c34bb8e6c3509382d3e64cf | Triage

Sharing

General

Target

ffb23cc112eda5d6390a899f3185b7e2cd11c31b2c34bb8e6c3509382d3e64cf.7z
Size

145KB
Sample

240919-ccwbmsveql
MD5

c0107a7343aba58c9304ca6186168e7d
SHA1

6b755159cc3900e4a9302ab50b2c8124a888e566
SHA256

ffb23cc112eda5d6390a899f3185b7e2cd11c31b2c34bb8e6c3509382d3e64cf
SHA512

e185558a5495b28da579d40dd58762521f70aa12484c96e798ae0b80ee0c2d4a5c0cbc5ee9a63e39e6c215a66a2222cf8295a8ad5fe06566816e3ad5da042e35
SSDEEP

3072:xPVCiVlJNTqwXM/kYwowFmNoUaUsn1hNgcyc9GUMqWSkVC0a:yeLNTskYwozfEg+GUxiC0a

Score

10^/10

snakekeylogger collection credential_access discovery keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
bisttro.shop
Port:
587
Username:
[email protected]
Password:
W79cDo2h05Iv
Email To:
[email protected]

Targets

- Target
  
  IMG_1507_1603.exe
- Size
  
  476KB
- MD5
  
  2a8a0d373755a556111968002bb0ae18
- SHA1
  
  f2a651bbc2f162b00c36d6c742afeee573873304
- SHA256
  
  1635f4e2f8b923df075800c4654771d8253a3081a7a19788d033b479482e4361
- SHA512
  
  f243f2381368c1c296b2f9b0a757c5040bc2fdbfefcc339b45f4a85fb3d7e2da27b3b626825261c1788753e29ca50338a1b97742d2354932c3430a4dfcde1fc8
- SSDEEP
  
  6144:hc596EGotRMO7a89EibwB4Cw88YTK7XjHbHI5Cj604zhMhr1:hc596EGmKO7a89Ez4C9DGDb4CB
Score

10^/10

discovery persistence snakekeylogger collection credential_access keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

snakekeyloggercollectioncredential_accessdiscoverykeyloggerpersistencestealer