snakekeylogger | 353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270 | Triage

Sharing

General

Target

353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N
Size

977KB
Sample

240919-pcr1faxemg
MD5

fea83f260f2972644d1dd41309f41200
SHA1

859123bbf12e66d283c9a991f1ee62e8f7061ac5
SHA256

353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270
SHA512

96d6676794b3a19506749ac7723a028a4c5f199ee414f80811f7cf01b4e2376917d444a0e0dc31d95439d5f41a2b0ba47fd05abac147912ee295a026410fa4bc
SSDEEP

24576:QqNfcE3qokV5EkITpoWZHUkAjVhMfo9NWtxIVSfb+PP4Iyv10cv:QSkWFEEXyZVhf94txePOecv

Score

10^/10

snakekeylogger collection credential_access keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7327372938:AAHFwuC3knQ9jY-1T98yh8owXZiixS_neU0/sendMessage?chat_id=6951521546

Targets

- Target
  
  353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270N
- Size
  
  977KB
- MD5
  
  fea83f260f2972644d1dd41309f41200
- SHA1
  
  859123bbf12e66d283c9a991f1ee62e8f7061ac5
- SHA256
  
  353a6f797e3e2c4e296ee8e5a72e393657f8e84889edd579d6f239c5d4ada270
- SHA512
  
  96d6676794b3a19506749ac7723a028a4c5f199ee414f80811f7cf01b4e2376917d444a0e0dc31d95439d5f41a2b0ba47fd05abac147912ee295a026410fa4bc
- SSDEEP
  
  24576:QqNfcE3qokV5EkITpoWZHUkAjVhMfo9NWtxIVSfb+PP4Iyv10cv:QSkWFEEXyZVhf94txePOecv
Score

10^/10

persistence snakekeylogger collection credential_access keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectioncredential_accesskeyloggerpersistencestealer