snakekeylogger | 6b737a6aef7bd8b764b2c3e8abfdf9ab4741fb23ef232a906fb4658b1db6d7d8 | Triage

Sharing

General

Target

6b737a6aef7bd8b764b2c3e8abfdf9ab4741fb23ef232a906fb4658b1db6d7d8
Size

1.1MB
Sample

240920-zfmv1axala
MD5

a89a0e42fc2e1f33abf93e44cad2073b
SHA1

a64345371fe0ad2c6885087329f5cf5a98af189a
SHA256

6b737a6aef7bd8b764b2c3e8abfdf9ab4741fb23ef232a906fb4658b1db6d7d8
SHA512

92e2979fa352488e8fae7b9ba650656d6af3c220ee3199c93163e6b15c249cbe9db1cfb1331698b47705412ec7dc91e6c92cab47a7428a14c7592336f5cd1961
SSDEEP

24576:oQDZIaJExFtl+ZLbcsR9Y4dOPAGFoCKNTlkejfrg4SVQGSakmJ:oQDZvJE7t4I29JuAGFoC0RkejfMcGSaH

Score

10^/10

snakekeylogger collection credential_access discovery keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
bisttro.shop
Port:
587
Username:
[email protected]
Password:
XSgWVCcKUruF
Email To:
[email protected]

Targets

- Target
  
  6b737a6aef7bd8b764b2c3e8abfdf9ab4741fb23ef232a906fb4658b1db6d7d8
- Size
  
  1.1MB
- MD5
  
  a89a0e42fc2e1f33abf93e44cad2073b
- SHA1
  
  a64345371fe0ad2c6885087329f5cf5a98af189a
- SHA256
  
  6b737a6aef7bd8b764b2c3e8abfdf9ab4741fb23ef232a906fb4658b1db6d7d8
- SHA512
  
  92e2979fa352488e8fae7b9ba650656d6af3c220ee3199c93163e6b15c249cbe9db1cfb1331698b47705412ec7dc91e6c92cab47a7428a14c7592336f5cd1961
- SSDEEP
  
  24576:oQDZIaJExFtl+ZLbcsR9Y4dOPAGFoCKNTlkejfrg4SVQGSakmJ:oQDZvJE7t4I29JuAGFoC0RkejfMcGSaH
Score

10^/10

discovery persistence snakekeylogger collection credential_access keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

snakekeyloggercollectioncredential_accessdiscoverykeyloggerpersistencestealer