snakekeylogger | 8ca3ae0879c2f0a794977ec3a28d26497825dd68ec048d926c597a69d54b53bd | Triage

Sharing

General

Target

8ca3ae0879c2f0a794977ec3a28d26497825dd68ec048d926c597a69d54b53bd
Size

17KB
Sample

240925-pn6b7svfrk
MD5

bed6ef49260684f2f4139f650f715d3b
SHA1

7d471b81facc214d60353f2e99af5601e2cc8bc6
SHA256

8ca3ae0879c2f0a794977ec3a28d26497825dd68ec048d926c597a69d54b53bd
SHA512

d1fe67558e00eb3ea7be12ee82bd1fefbe320c25176c9fa1b4ccf66cb4e28c4dd54752608c8c7e35f25d217c9b29424e0aeced9e3398f009fd488600c95dae4c
SSDEEP

384:5wRM3EE3L9CkYubliG0i612IXaGGmNTTdCkG8iY5D4xlEsSEZd39U7K50Ya/3:5w23ZCdu6X2NG16NY5D47bZg7Kejv

Score

10^/10

snakekeylogger collection discovery keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7662274889:AAGmLpUAq41adIZH12LVtlSBknhfnx9iQ2g/sendMessage?chat_id=2052461776

Targets

- Target
  
  25824092416350.scr
- Size
  
  39KB
- MD5
  
  47efd3b8ab6e976effe36624d98fd0c8
- SHA1
  
  d920072220b9ec9b2070e5f639ff67c6635841c9
- SHA256
  
  df9d082b89ca10844909eaa090c003ddd9081b369b0aa37cc4cbd3c6a91545fd
- SHA512
  
  593839894d56df016179d1b2063ccbf0580e031ac2fa6d02189308a113ce2953a6a7dcd72b0f303519a9f0f16ecbffdad7b140d9884f825167cafbd89c0fb145
- SSDEEP
  
  768:4NKrCse1JNEGgyFiHWYlhSwNnBzoz9uPowEkdEmkNWK50wZUek:44P0J2FyFIfMuPl2Nd50UUek
Score

10^/10

discovery snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectiondiscoverykeyloggerspywarestealer