snakekeylogger | f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa

General

Target

f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa.exe
Size

774KB
Sample

241107-d52vkavfkq
MD5

35a14ec5e93e8606051d692c0510b4b2
SHA1

58ffd63f713bf54c45237f3012cc92f624966376
SHA256

f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa
SHA512

a2d1173236b20a717d9ea402fd29540ce9ac002d49421d8343c34e7e63d5fcd8c9a3419ed130c677ac380b0a571cb7db23d6601cee19cc321045c0c035795c3c
SSDEEP

12288:tPVXv0yQ9TUH2pKvC7oh/dDVJnvpeBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDs:NnnHLC2dfvpk5yRQLvf81BV2m6ionDu3

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.tumteks.com
Port:
587
Username:
[email protected]
Password:
Tt36556300Ss.
Email To:
[email protected]

Targets

- Target
  
  f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa.exe
- Size
  
  774KB
- MD5
  
  35a14ec5e93e8606051d692c0510b4b2
- SHA1
  
  58ffd63f713bf54c45237f3012cc92f624966376
- SHA256
  
  f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa
- SHA512
  
  a2d1173236b20a717d9ea402fd29540ce9ac002d49421d8343c34e7e63d5fcd8c9a3419ed130c677ac380b0a571cb7db23d6601cee19cc321045c0c035795c3c
- SSDEEP
  
  12288:tPVXv0yQ9TUH2pKvC7oh/dDVJnvpeBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDs:NnnHLC2dfvpk5yRQLvf81BV2m6ionDu3
Score

10^/10

discovery execution snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Saccate/Chiriguano.Ski
- Size
  
  51KB
- MD5
  
  6c30e6cb99e14b8e5446a9a5726167ed
- SHA1
  
  01d799ef731cf409d29a51696fd3380b296f8730
- SHA256
  
  3a0443fe99e0be036a5747d6c6a4a0202f5f55ffb8a338af90f829d8bbf5d5f6
- SHA512
  
  39358a6fa774429954c0a599f55685608220eabeef19b6c9be1040169b65577d51c9306d537a248779a79b092e820fef7e9ee4f256297434c3677be7f75b8696
- SSDEEP
  
  1536:kVpjFOKIF51+UTMIKwoQTOxBrlGtGfZWShL+m:sFO1FChNBg5EL+m
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4