snakekeylogger | f696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3 | Triage

Sharing

General

Target

f696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3.exe
Size

941KB
Sample

240920-m6mlpssgpe
MD5

61f9e6be7cae28b88ea8481acbe0c2c4
SHA1

79f3eae9574c2a5e31483748ed4fb88d7ecd2d6f
SHA256

f696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3
SHA512

fa0c63dd8c837f2368a3c858edb97b7f1208fe18cec09e1cb24d0bf4f0e073d8e30bc50d22b279ede734394b661eda0e7a16144a1957b282fffccf3007470378
SSDEEP

24576:CLPI+JIfpe0ba/gDI7/dccQ8hxQuP6qXxOt0khg0lPDQMAI:CEnRK/0Iy0XQRqXxREvhDQQ

Score

10^/10

snakekeylogger collection credential_access keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7327372938:AAHFwuC3knQ9jY-1T98yh8owXZiixS_neU0/sendMessage?chat_id=6951521546

Targets

- Target
  
  f696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3.exe
- Size
  
  941KB
- MD5
  
  61f9e6be7cae28b88ea8481acbe0c2c4
- SHA1
  
  79f3eae9574c2a5e31483748ed4fb88d7ecd2d6f
- SHA256
  
  f696fe58ff5ed8b84610d32dbfd0c9fb74ab01e8884ef1df45dc58ea43274ed3
- SHA512
  
  fa0c63dd8c837f2368a3c858edb97b7f1208fe18cec09e1cb24d0bf4f0e073d8e30bc50d22b279ede734394b661eda0e7a16144a1957b282fffccf3007470378
- SSDEEP
  
  24576:CLPI+JIfpe0ba/gDI7/dccQ8hxQuP6qXxOt0khg0lPDQMAI:CEnRK/0Iy0XQRqXxREvhDQQ
Score

10^/10

persistence snakekeylogger collection credential_access keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectioncredential_accesskeyloggerpersistencestealer