snakekeylogger | 86c80e1d74b98fb8b8abfe7a222445b06935c53911284742bce2db75faefaf4f | Triage

Sharing

General

Target

86c80e1d74b98fb8b8abfe7a222445b06935c53911284742bce2db75faefaf4f.7z
Size

109KB
Sample

241125-rpkg8s1kbs
MD5

544bd906aa8a41f8f7a2a846c23bd1e5
SHA1

40bacc4552390cd891910f30fdf6c08679ab085d
SHA256

86c80e1d74b98fb8b8abfe7a222445b06935c53911284742bce2db75faefaf4f
SHA512

f7c608be9ce7ed1d909615c94a4ab28f9705ea74a5b8c45b7f1f3e9f1fe98ce1be7a9282d8ae856d8f3c5e553dd4bd80842d8b5412bc74bca218b353b34f05ec
SSDEEP

3072:DmigQXEvJHFq1V+Uoo8HsxkTIpYDUCa20YL:CWXgJHycv7lToCa20O

Score

10^/10

snakekeylogger collection discovery keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
juguly.shop
Port:
587
Username:
[email protected]
Password:
rEBS93U9rKLG
Email To:
[email protected]

Targets

- Target
  
  Ref#10784512.exe
- Size
  
  532KB
- MD5
  
  08565a4a256fb8f4f3497c695991829f
- SHA1
  
  b2c4d59213108fe33197e3685b1602f56047f62c
- SHA256
  
  b5d25a995424fd4d4fe5303ca4e90ceeb2794989f58213bda32b29c8716c5cfb
- SHA512
  
  af2abd0960d15c9dcb6b168318be8ea66b357c07bc23bfc74e4c0784300863798ead484b4b76ec802139fe9d737164df4d5db95b31601e715fb43003fa617799
- SSDEEP
  
  6144:CecUj2wJOTSYPagobSxxIxx0xxxxxxxGsrw3IX7a6plD:CecE2wGGsLV
Score

10^/10

discovery snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectiondiscoverykeyloggerspywarestealer