General
-
Target
01122024_1012_Swift-Copy.vbe.rar
-
Size
1KB
-
Sample
241201-l8r4jayrhx
-
MD5
6d0eba95bc3ea07c67ed9fa699b8c9f3
-
SHA1
37fd9cc91b384c72800a40761fc778b30adc4f1f
-
SHA256
a09fa706d58a781099b5bdd94c6c1b67ac008513b2513caf21bce8352a8fab24
-
SHA512
a3d002b750fbc278a7bf0948e1de81e50492e0e8f65ecab0beb9219522ea4729e3e914753b39ec570a1037056cbf05573c2765338d2107637b6197cd10752f3e
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
evqqlnwkcmogylje
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
evqqlnwkcmogylje - Email To:
[email protected]
Targets
-
-
Target
Swift-Copy.js
-
Size
7KB
-
MD5
22cfe7d8acc1bed51a3934fe28c4025a
-
SHA1
fe802bef1a232c7ec5bdf9cda03a072c60da13c5
-
SHA256
abcc7d5dc77c35bd53867a3694c4d3357e17e3d4a1b9bcfa52ee78b48a01c64d
-
SHA512
7d0e0805f98ecaa48edd6ec414876368f99fe137a6820d6d0a5634718efcdbc32ba255029f37ca27cbf0566c5223b4c3019aa1a41bde80340f7551715a6812df
-
SSDEEP
96:UiPSOGFiruMX5DUrqrj5trZDUWG5IuMX5DUzN8FI8/LiOI8/LvMMnN8UOuMX5DUZ:NLCnXrULZ6O
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Snakekeylogger family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Swift-Copy.vbe
-
Size
9KB
-
MD5
3a62dc625d7dd22fd4c2aba6e7058dd4
-
SHA1
2b264827a034a913128d9fb362a3b789005ba4f0
-
SHA256
895e3a8a58ca8d0b65bdb92d181ea4ebd53b479872e75c7455e892b58149cb38
-
SHA512
0872c46046e565a8d0866e95a57a7dd1d9a86e3f17eba48901ffc2d913c598c2b44b4d285c508ade8446ba64de44b00d9baa74a72b59cda506ea58f711145b7f
-
SSDEEP
192:FbmzV2nbm3m6G53Vm6z22m6THZKmQmjFm6TH8Mjm8bDmDj02IbmHKmvFnbmVFxVx:ZFbUIyKLK0LBrqPG
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Snakekeylogger family
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-