General
-
Target
a33cbae790086efdabbdfa7b474fcb3c0279209f7891cbb33d2dc61a1c2501d8.zip
-
Size
306KB
-
Sample
240625-b4e83atela
-
MD5
694065a6b0eb5395325c2aaa439e3b8d
-
SHA1
a7fa021d6a64371f75ddca3da717c010f12306a9
-
SHA256
a33cbae790086efdabbdfa7b474fcb3c0279209f7891cbb33d2dc61a1c2501d8
-
SHA512
3c25336e363e67e08baef59659db4876b395ec345e1eca3575debaddeb390465a17071b84c28a768fb20a8ce8c7fbfdfa3ecc3beba7aff2979dc33fd96800090
-
SSDEEP
6144:0O8xl2gAHtZE2pltT2XetfbIW3JylZ9u61tOVUyF09IWwONsPUmDrSZ:bS2gAv8mklZ9/1AruNNaD+
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
fY,FLoadtsiF
http://103.130.147.85
Targets
-
-
Target
Order Details.exe
-
Size
537KB
-
MD5
c5ed14e8dd6cb2860c6638a80812688b
-
SHA1
00af8c4a13e22816093700587f652d7ea773d62d
-
SHA256
69ccbe47812c85cd71bf9824e986c439f9b3ae364191b09bff90e8c9b7b8b1ea
-
SHA512
1cdbce711cd2341b31674e50ebb6b3261293c4e56a6846791d4ec2cc8d1f792d263ffa81e92a541195ba4b8af2d4268ed2a70ee7374517339a0f750da0d9098d
-
SSDEEP
12288:/tu+p5Q+8bw8e4FZp+nOo5PNkDVgKJv/v+PLuSn:/p5Q+Oe4FZkIv/6LB
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables with potential process hoocking
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-