snakekeylogger | 5fa3a2796eaf9563333a8da8feae53d42fc90d4ab3de1dbb1bb38d4c3923945c

General

Target

Doc_2024.342.2420329_2.pdf.rar
Size

686KB
Sample

241018-h5w2jaxaql
MD5

6acffabf04ed64b2857c6003949c69d8
SHA1

e47cdf54d7b4a097ff8d7e2b6beeff19997b4051
SHA256

5fa3a2796eaf9563333a8da8feae53d42fc90d4ab3de1dbb1bb38d4c3923945c
SHA512

8f7d2a46fbc95fdc71378259caaf253602df422086f4a7131639ea7c4ee21c7b15e781e9322c03a8df8c54857fabfd269951223a332557228ef085c6f09fc856
SSDEEP

12288:ifI9udgJkGb9kBswqAcGhk/0w7onhoUrrLNH4duopa+isbTk7lRn4aQbjt45Hw9M:ifGPUBhqzz0BRBH+ISbulubj65DsZNa

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.securemail.pro
Port:
587
Username:
[email protected]
Password:
jrpM0Y5k
Email To:
[email protected]

Targets

- Target
  
  Materien.exe
- Size
  
  752KB
- MD5
  
  da48313586a7ed35308c3d7b730be3a8
- SHA1
  
  3ccfbbce591a3f16cc620984d2be7929fd7c69a5
- SHA256
  
  802900953255394194cffac091a16c4edbee0cacb91ea43823ed2e36b5b4a3c4
- SHA512
  
  5fc0666e58ff30541c5205de42009ca9340308dd3c664b9b1e28ebaffdb7ee2ed24ad584b1de2157472ef2ce172dc84fee0521d6729c7e8af27573eeae49a186
- SSDEEP
  
  12288:jGHXvdN4G9MMe/OdNDqJ83eCOyGOs61IYZVAecgs9FMa1Mdq8jJa:juNNesNlLDGMIYO7MoOa
Score

10^/10

discovery execution snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Tillgspensionen.Ask
- Size
  
  53KB
- MD5
  
  1e72916a0e82da66cf7753db11b602a2
- SHA1
  
  322d0c1a058a5c4ba50f534137c45462dd8b989d
- SHA256
  
  8a7aca1e042680f82f1703da26587d5058e55cdc50a9da8bc7bd226d1a6748d4
- SHA512
  
  b32c7d41172e7df012277acb4f8662e1d5949db80d9a35a68433eaee8d740b46a0d3a068d6609140e86e846b0ac436e21e18ba7d85b17db3214cc7ef833af203
- SSDEEP
  
  1536:PU0/q/xmGzkHZeRcFThmlZA4snsEKhBRLUM4it/xIC8ZYHg:L/WRkoEhmbA4snedgMRtx60g
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4