snakekeylogger | 667dd1230b6f4ecc2ad560c82587c8dfa5463af9838aae6610ddacc7e71cde40 | Triage

Sharing

General

Target

purchaseorder.7z
Size

50KB
Sample

240927-d176satakl
MD5

d75702c86cca899f8037b4491b5bcec4
SHA1

d0d0bd99c748f4ec66d706e3ed1a39653e33e38c
SHA256

667dd1230b6f4ecc2ad560c82587c8dfa5463af9838aae6610ddacc7e71cde40
SHA512

167fd312dbe499224a484f3fb1e9be26f805436fc707fdec4e25c0fc43f787ba50474e03da415292293d289ad5e24032eae25dc204fade0878db964555d73582
SSDEEP

768:Roh8mkGhMl9KjwKsWm2pjHBedV7gBLtopNymofAsn3c+wPgyOtdX4Q0OM1xv/8VR:K+uWKjmGHBS2LuNLogLqt4QiLCtyZumO

Score

10^/10

snakekeylogger collection discovery keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
zulpine.shop
Port:
587
Username:
[email protected]
Password:
e5xECScP5KfC
Email To:
[email protected]

Targets

- Target
  
  purchase order.exe
- Size
  
  441KB
- MD5
  
  b0783a18de531b50debfe5252bc25558
- SHA1
  
  bc564e0ceb0e8f99602247bcc559a583f77db8ce
- SHA256
  
  018ff37ba8b41d1ae1669d3fd841351f4197f9594c7f05512b5a99cfda88549f
- SHA512
  
  927ff7d89d9820745ab5208793444ade73da993b4c482f31297e093cb9d3cee96a8ae0808c1a4813612d61b1eba4e7d40bc7d9c037f4e337f5dccc4228c25e46
- SSDEEP
  
  1536:TzOp02gL1jszmCCCCCpCCCCCTdvCCCCCCCCCCC3CCCCCCCCfFIeCCCCCCCCCCCCv:TzSY+zCdsP6GBxhDCovrU/s
Score

10^/10

discovery persistence snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

snakekeyloggercollectiondiscoverykeyloggerpersistencestealer