snakekeylogger | 0a9ecd688ef796b210e188f80088291b9d8dcfd820f80f5e2cb5d25bca8d159d | Triage

Sharing

General

Target

0a9ecd688ef796b210e188f80088291b9d8dcfd820f80f5e2cb5d25bca8d159d.arj
Size

17KB
Sample

240926-bf94jaxhmr
MD5

3fb10b7d82fec72c138979af201d6fe3
SHA1

0c0dc8063b1378c04870ab686716be1f2c0cbd98
SHA256

0a9ecd688ef796b210e188f80088291b9d8dcfd820f80f5e2cb5d25bca8d159d
SHA512

2e5c675ac3cded0588951ed83ae7bf18284ae4c56ac443461ba346b9364870398ca4fe719a46b4e5b133b82a7bd701cf1c2c08b150b7bf52fa12dfb15b772526
SSDEEP

384:NDeeSWOdTuf186oFaWVKpgR2vQN0yH53Q/+H+qjybBBMUafbHUKiiDk9b1:EeudTuf186oFaWkp34Z9zILMUkHT5AZ1

Score

10^/10

snakekeylogger collection discovery keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7541020039:AAGsq8h1YFdFZMkWR4YvtTV1a-gYO_XOaR4/sendMessage?chat_id=5593200404

Targets

- Target
  
  Products List.pdf.scr
- Size
  
  40KB
- MD5
  
  4e783011f451168c8c75229518d350a6
- SHA1
  
  be7e0c5f52d8ca1ebffadf27816d4f06adcf5567
- SHA256
  
  86ea9ea45a530191cb5f42b3336b00cfb92dd219f0861e5dc9dac7f5d1e48232
- SHA512
  
  dd66bb38ae4117190eacb0bab5ddab5eee9b1c8c927271186ce3028d04ec4a8fe22cf68b33ff1f98179dc7a9be9187df9074276a849ef805eb94937140cc0e69
- SSDEEP
  
  768:S8T7EgqeXx/Q+c3cUgTo0cNHqvRe5AmNPseYbfdleI:D/EVeXKiUgbRSNUeUleI
Score

10^/10

discovery snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectiondiscoverykeyloggerspywarestealer