snakekeylogger | 9d6809e7d22ef036b8b789a20e684c258686cb9afb3899ed89675007621bc3e5 | Triage

Sharing

General

Target

9d6809e7d22ef036b8b789a20e684c258686cb9afb3899ed89675007621bc3e5N
Size

131KB
Sample

241002-qzkqbayfkl
MD5

594c5052fc99e6818a13fed43b4c50c0
SHA1

873fea4c018b465c44b1dd8914497df03267ce2d
SHA256

9d6809e7d22ef036b8b789a20e684c258686cb9afb3899ed89675007621bc3e5
SHA512

23898bd7b7ce500c95cb42df085c22d82ab0e806dc8c9c2f4d8fb2459e8d25ab533ea8c2f05ccc9540b755fed1b02fc30cb256f813d6594f1c9a0bac8c72809b
SSDEEP

3072:6p/hYgDQapNqiSMPTQBkb5yqsYQwv80qgbY:cYcQkQabHzb

Score

10^/10

snakekeylogger collection discovery keylogger persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
webmail.sventerprises.net
Port:
587
Username:
[email protected]
Password:
Kspatil@672
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
webmail.sventerprises.net
Port:
587
Username:
[email protected]
Password:
Kspatil@672

Targets

- Target
  
  9d6809e7d22ef036b8b789a20e684c258686cb9afb3899ed89675007621bc3e5N
- Size
  
  131KB
- MD5
  
  594c5052fc99e6818a13fed43b4c50c0
- SHA1
  
  873fea4c018b465c44b1dd8914497df03267ce2d
- SHA256
  
  9d6809e7d22ef036b8b789a20e684c258686cb9afb3899ed89675007621bc3e5
- SHA512
  
  23898bd7b7ce500c95cb42df085c22d82ab0e806dc8c9c2f4d8fb2459e8d25ab533ea8c2f05ccc9540b755fed1b02fc30cb256f813d6594f1c9a0bac8c72809b
- SSDEEP
  
  3072:6p/hYgDQapNqiSMPTQBkb5yqsYQwv80qgbY:cYcQkQabHzb
Score

10^/10

snakekeylogger collection discovery keylogger persistence privilege_escalation spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Wi-Fi Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

snakekeyloggercollectiondiscoverykeyloggerpersistenceprivilege_escalationspywarestealer

behavioral2

snakekeyloggercollectiondiscoverykeyloggerpersistenceprivilege_escalationspywarestealer