Overview

overview

10

Static

static

3

MB267382625AE.scr

windows7-x64

10

MB267382625AE.scr

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a9fefe0ab31ab5b1fe58285d812b2b77a88c6a4bb3dee3090feec4bb58833ea9

  • Size

    539KB

  • Sample

    250122-gdv5gs1qdn

  • MD5

    1a60beaa7081fcb3c29e430a6c8e11be

  • SHA1

    deef92f1bd3d67d7783b02f1ced4b93a7d69ceaa

  • SHA256

    a9fefe0ab31ab5b1fe58285d812b2b77a88c6a4bb3dee3090feec4bb58833ea9

  • SHA512

    d9f451f54f87039f51c9e1e746da271a4675bf21f3ab26f10434a8023561d6865245e4348e19df7bcf0683e8046a65033eabdbb5fba42e97ae9c6d968fc87f4b

  • SSDEEP

    12288:f83Yedq5oDawgwmsqFYTJKEbYSwGXefmKFNR2Tq1agI3seC1Q:fsldaDsEO+Sp+4UYo1Q

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.murchisonspice.co.za
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    accounts786q#

Targets

    • Target

      MB267382625AE.scr

    • Size

      628KB

    • MD5

      f43238bfb93550676c942b1253179f07

    • SHA1

      bfccd20fb37ff85ba836c618f15d2ad03f91b75d

    • SHA256

      51d68a04bd95b48dae0d4298e23c09e5c32cc6c91297c5ff2d92dbd4f598207d

    • SHA512

      9948f8bd3597a1129735558741339b1d7643ca7afdb26f194ee7368a4b9e326d6e161cf4072a950a5d79ad6a403b03ec7c112dde339a4a5fa7903bcc8f911c6d

    • SSDEEP

      12288:dhLKWa+kia+qO9rdc6T5hMhtn7ojsC4mKFNlou61:Bk/5IT5CDn7oLYoj1

    Score
    10/10
    snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks