snakekeylogger | c4fe7447aea459eef046d371a5035d2fce7704c0af9e55423c62601ebbe34658

General

Target

c4fe7447aea459eef046d371a5035d2fce7704c0af9e55423c62601ebbe34658.tar
Size

570KB
Sample

241031-edqtna1jfk
MD5

fb9fb0f66179435d8f529e87c8816cc3
SHA1

f1b1b98fd53d33e446742e18d832518eff1b7f1b
SHA256

c4fe7447aea459eef046d371a5035d2fce7704c0af9e55423c62601ebbe34658
SHA512

dc031e3208fb42dd71577343f5b5c9f5dc87178b61bc8273d9dbac1fd4d756585f0d50992b015f8a0f88b31572ceb5b8b5dd1ed8d14ac44debc61e13c91c7c13
SSDEEP

12288:fyXgtlUbbYlDjrGyBg8OlLX/dgIQHQN/Zt49TXq41BglSHN/0o:htlQbYlDH9dGrdNz45lB8SHN7

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7557806283:AAFiqTWzN-gLgC-2y3c1Dz5CtqTp-HN6TYc/sendMessage?chat_id=7451270736

Targets

- Target
  
  Commercial offer+Technical offer_pdf.exe
- Size
  
  642KB
- MD5
  
  4806339fc2f24f3bab7fb6620826d603
- SHA1
  
  edc14208fcbd256801a2062dde49a52dd4f2890d
- SHA256
  
  5e0c5d2342ce0c3460d6c853a64efc16a89b9fe93372334d78163dfe7efb7e12
- SHA512
  
  70f75834b884a5a1309ca4b52b4b8d01ed63bccfd22e9fa9035ae3ac83582e46325de6f91bf39fd391db531117579170391f1a7710e8ccf67833d962b44b2182
- SSDEEP
  
  12288:ggu58UO/0Li3SaNlPhq7P9ekopAAT26ZvgVlmee/6BRERMHA+5QpU:gguuv0LPaNbqT9R2vgNeyTERMgm
Score

10^/10

discovery execution snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Tablespoonsful/Hpital.Svm
- Size
  
  55KB
- MD5
  
  5c3047a848544b49eb82d09ed58708f3
- SHA1
  
  27c59daa34a25319f77d2dfe91613a4669803e21
- SHA256
  
  72a4194d8fcae2e4cfa2bd19dda030d1a7a05f27b2cc5197b6fceffb6b9decf0
- SHA512
  
  d783fa64387306adc639d5051bb153c5437ceeb1dc5abbd71d28cd2e1019209b13e1188bc94ab0ebe14cb94daba838293592361ea29451695f41d995b08c3e6a
- SSDEEP
  
  1536:QPchwSZoEGZC7CeFKFtsBYcmPuhjywMaJzzivfkIYFPixSk6aVM:WchwS/GZMFEMBthiaQvYJg6a6
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4