Overview

overview

10

Static

static

3

1_email.zip

windows11-21h2-x64

1

32b4f238-3...18.eml

windows11-21h2-x64

3

email-html-2.html

windows11-21h2-x64

1

email-plain-1.txt

windows11-21h2-x64

3

image006.jpg

windows11-21h2-x64

3

pago 4094.rar

windows11-21h2-x64

1

pago 4094.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1_email.zip

  • Size

    509KB

  • Sample

    241214-s2mc2awpfz

  • MD5

    d7e0b9f679bafc78cf5aadd5c3480545

  • SHA1

    185bf43e476b4027492ace2b73d69cf0eb1ea875

  • SHA256

    5fab2b5a50f8f9432a51f9e9538b1151d6cff93a2744144a8e2263f7f462e231

  • SHA512

    a76d9f17434f56e51fa33cd0498d4dafc4fc348b2fa19fc5d919f2173fd38651c3ec47c2380d95fb723e43a3f64459e19c3e2e3414cd08c49f3911d3e0d17a7d

  • SSDEEP

    12288:XnLaBzLTZGXZ+mStdggO7N0nTuL33nkXvICwCkcw6MOIMJ:36rZGotd1KN0n3HnMOr

Score
10/10
snakekeyloggercollectiondiscoverykeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    UWzDeXWsD8

Targets

    • Target

      1_email.zip

    • Size

      509KB

    • MD5

      d7e0b9f679bafc78cf5aadd5c3480545

    • SHA1

      185bf43e476b4027492ace2b73d69cf0eb1ea875

    • SHA256

      5fab2b5a50f8f9432a51f9e9538b1151d6cff93a2744144a8e2263f7f462e231

    • SHA512

      a76d9f17434f56e51fa33cd0498d4dafc4fc348b2fa19fc5d919f2173fd38651c3ec47c2380d95fb723e43a3f64459e19c3e2e3414cd08c49f3911d3e0d17a7d

    • SSDEEP

      12288:XnLaBzLTZGXZ+mStdggO7N0nTuL33nkXvICwCkcw6MOIMJ:36rZGotd1KN0n3HnMOr

    Score
    1/10
    behavioral1

    • Target

      32b4f238-3516-b261-c3ae-0c570d22ee18.eml

    • Size

      688KB

    • MD5

      60d00c17d3ea15910893eef868de7a65

    • SHA1

      1d17dd1688a903cbe423d8de58f8a7ab7ece1ea5

    • SHA256

      d13a7eaaf07c924159ea7bb8f297dab1d8da0f9af46e82e24052d6a9bf5e4087

    • SHA512

      c589a12dbbd2598eeb74564ae11142a2d1a17beb6fafcdb8211ff72d33dbe58ae7d17d03e5521819cd788a0c3158fe60738e15ef4a6285c1221d32f979c13813

    • SSDEEP

      12288:vZ1Tzm0D2acQLqgVIjejueFyhaCV2JKKS7hoxSSqkljhEi9lV7j:z7K8FuuzCV2JKkxPOQ3

    Score
    3/10
    behavioral2

    • Target

      email-html-2.txt

    • Size

      19KB

    • MD5

      64999a3d3bf119171122cded4c5a2880

    • SHA1

      9c106f98e512b34c5f8027a7b8a33fe176b55cdb

    • SHA256

      c106566f838b9353aabc9c4ac711925a5113be84b1a8a35a9a31a8cbdd4d3d46

    • SHA512

      106b3eff1f26eafb51e1ffe693b39c1d192fa8151a4e7c1a90daffbb5cf326371c2b32878f4b3b2ded05c66ae3ef1d54aeea666b322ffbeef506c4a12ef85b35

    • SSDEEP

      384:IoP0Ehux5Ox5RxEsx5Nx5Rx5MJx5sxcx5ox5REGnxTf:I3EhAg8GFRM5HKR55

    Score
    1/10
    behavioral3

    • Target

      email-plain-1.txt

    • Size

      429B

    • MD5

      c7dbfabc14ad7fe225c2378dcd82071e

    • SHA1

      1f06af9a032fa64804036b2504a2488c2fbc9793

    • SHA256

      2abab8b49cbc5ba467f071c46487b6bc6395236f8bb1cce1ad97d70ce812c7aa

    • SHA512

      dd1c2af5547c5ea387921414be0a9d8b63fd5b7d6a3ecafe4a820c3ed75b79006903f35fedb1bf28e0e203bbcf631e1d3c94805afe84d72ef64b6187411a648a

    Score
    3/10
    behavioral4

    • Target

      image006.jpg

    • Size

      1KB

    • MD5

      4f63f6a5270c8dbeff85edd7110f14f5

    • SHA1

      514256d462fdc1cbdaba5d9623dabee8d99f0cbf

    • SHA256

      2720945e2d8451c11e11c12d59ddcf8bdb0795979a483964bee64eb8bba0ee91

    • SHA512

      601202b023c26c252c2389b33c8cd66c062612248456bd3c90397b173faef6fb82003741e7b555a480f5f2f5cca536363ffddbac12b89f27ce38f3136a2a0655

    Score
    3/10
    behavioral5

    • Target

      pago 4094.r09

    • Size

      479KB

    • MD5

      a448bda0002ecd968b6ae9526617c974

    • SHA1

      cf13df73eff74b9ceb6d837c1d7cc9d01fe918db

    • SHA256

      ad24b345eac9876a65fb6b0d2eda0da669c3b23aaa969db9ce913f8a63c0a5f1

    • SHA512

      2f819a259e875183db1fd4357f94296352f2953a1c1536459d6df625222c19feaa392ccd8d9c3b4051960b5c1095bd06e8f8315b6882ae150f99b813fee83dc2

    • SSDEEP

      12288:FlVvIQalIT28m/A4CAa0nuRG4XYB5pYGCP5G:Fl5nalyGzBuk4IB5pY7G

    Score
    1/10
    behavioral6

    • Target

      pago 4094.exe

    • Size

      528KB

    • MD5

      1a0f4cc0513f1b56fef01c815410c6ea

    • SHA1

      a663c9ecf8f488d6e07b892165ae0a3712b0e91f

    • SHA256

      d483d48c15f797c92c89d2eafcc9fc7cbe0c02cabe1d9130bb9069e8c897c94c

    • SHA512

      4251fd4738f6b47a327b1f1d7609aa5af623669734a1fc9ebf5786337d0fbc5142c8176e51f9f2f5869e47bdbbb2f46090f66fb3cea30189d57917b58049f84b

    • SSDEEP

      12288:PXPZDbCo/k+n70P4uR87fD0iBTJj1ijFDTw:hOz+IPz6/PF1ihDTw

    Score
    10/10
    snakekeyloggercollectiondiscoverykeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7

MITRE ATT&CK Enterprise v15

Tasks