snakekeylogger | 4f0c13bf16b4e53b1513e2b268aec15c6c2a043f88a58dea69c88e25eb920853

General

Target

4f0c13bf16b4e53b1513e2b268aec15c6c2a043f88a58dea69c88e25eb920853.exe
Size

662KB
Sample

250110-rfkfwawmcs
MD5

e38257f3eaa78e2dca3c3063b05eaa70
SHA1

250d9151f64818a8bfa51d3714a6ddb214303495
SHA256

4f0c13bf16b4e53b1513e2b268aec15c6c2a043f88a58dea69c88e25eb920853
SHA512

483dc9cbef3e26973e0d51601b146472c64b0e2c95b0c98154bd5c2a49afce5b867e9ed56fd9ed9d9e939a0c9c023413aa775078b22873ce267db55f2a7c1bcc
SSDEEP

12288:k2QJ9o2sW3B9o2G2/6SkwwOeO01ZAao2tezqrVcO5sZYw6bhyWjX53XOo:kv9o2sW3B9oV2iSkwwOe/U2HVcaNhyaH

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.securemail.pro
Port:
587
Username:
[email protected]
Password:
jrpM0Y5k
Email To:
[email protected]

Targets

- Target
  
  4f0c13bf16b4e53b1513e2b268aec15c6c2a043f88a58dea69c88e25eb920853.exe
- Size
  
  662KB
- MD5
  
  e38257f3eaa78e2dca3c3063b05eaa70
- SHA1
  
  250d9151f64818a8bfa51d3714a6ddb214303495
- SHA256
  
  4f0c13bf16b4e53b1513e2b268aec15c6c2a043f88a58dea69c88e25eb920853
- SHA512
  
  483dc9cbef3e26973e0d51601b146472c64b0e2c95b0c98154bd5c2a49afce5b867e9ed56fd9ed9d9e939a0c9c023413aa775078b22873ce267db55f2a7c1bcc
- SSDEEP
  
  12288:k2QJ9o2sW3B9o2G2/6SkwwOeO01ZAao2tezqrVcO5sZYw6bhyWjX53XOo:kv9o2sW3B9oV2iSkwwOe/U2HVcaNhyaH
Score

10^/10

discovery execution snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Sharpness.Kon
- Size
  
  54KB
- MD5
  
  a455a44aa414354fe74ee543bbf64451
- SHA1
  
  4d73664950e0b77b2f05eebce4e5c3d549cc18ea
- SHA256
  
  c7dac58dcad45abf34bee7c7567a746fada583c0e734d204ed2f71617c4b7b31
- SHA512
  
  a9bedcaa864985c0ec2f9eb521983d23f7b58689922f39305d17fa39aa41ef02be8bec3fc99d22caba1c34c56d6d68160f9dea27bc207eda83f97cc47f852fa7
- SSDEEP
  
  768:13Zs6XOqDlTXziiIlncM1oM1XgGZstyjmPcWCqqGKmafPMrV4yIAXBMWWYUGrY1b:1K69DF+lcM1tZaGK/QNAxIQsb
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4