snakekeylogger | eeb19ccec86a82f4ebbe4512ebadca5089bc192478a356a99824a89b1f122995

General

Target

eeb19ccec86a82f4ebbe4512ebadca5089bc192478a356a99824a89b1f122995.exe
Size

762KB
Sample

241107-rn3x7awnam
MD5

4398a15085a3837ef2ef6a7b056643c6
SHA1

d15e71d5e8e9b750d429c7602d98e7203c24543b
SHA256

eeb19ccec86a82f4ebbe4512ebadca5089bc192478a356a99824a89b1f122995
SHA512

34b5b0b7299c325a525675c8a0cc9e4cd6ce724866530bba7933c783c87d73f477297e8d865af6836926e5cf579292f4ce385f2c2c8ce89f916199d048a8dafe
SSDEEP

12288:8PG/hGy3E/kipG6IhwYz0BWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDud:QGhbYpGjhwYzO5yRQLvf81BV2m6ionDE

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.securemail.pro
Port:
587
Username:
[email protected]
Password:
jrpM0Y5k
Email To:
[email protected]

Targets

- Target
  
  eeb19ccec86a82f4ebbe4512ebadca5089bc192478a356a99824a89b1f122995.exe
- Size
  
  762KB
- MD5
  
  4398a15085a3837ef2ef6a7b056643c6
- SHA1
  
  d15e71d5e8e9b750d429c7602d98e7203c24543b
- SHA256
  
  eeb19ccec86a82f4ebbe4512ebadca5089bc192478a356a99824a89b1f122995
- SHA512
  
  34b5b0b7299c325a525675c8a0cc9e4cd6ce724866530bba7933c783c87d73f477297e8d865af6836926e5cf579292f4ce385f2c2c8ce89f916199d048a8dafe
- SSDEEP
  
  12288:8PG/hGy3E/kipG6IhwYz0BWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDud:QGhbYpGjhwYzO5yRQLvf81BV2m6ionDE
Score

10^/10

discovery execution snakekeylogger keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Citicorp.Amf
- Size
  
  52KB
- MD5
  
  50a86de35927f45ce009f37494068b0d
- SHA1
  
  880c888d5e156d7080395c964614872fe42ac89d
- SHA256
  
  ff7d67d9d4613f0716febf78a0e813953862c77bb5f084eebf881ac02809984b
- SHA512
  
  230f60733ee595111e91b0bb9c99a5a4c72b5ebfb1b77ff544b5aadeff5179fccfcd473fa8caa290798d6558f753663d21f966a6db9b2193d15e81adef6159d6
- SSDEEP
  
  1536:CouBFNxtHIbsZOUwUKo0gwGXjnhDvWZHK1y22IE:MxiGS1o0LGTnhDvUayx
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4