General
-
Target
c8d4ad014bc77975ff52fc025abc76fdb1ea9676d453eb096a4b89d0529c58ad.exe
-
Size
550KB
-
Sample
240626-bz5cdswhke
-
MD5
93f4ebbd3bc337d1805105550286ebcb
-
SHA1
a5374ff40e11814b0b41398d88bbd8e9d0909012
-
SHA256
c8d4ad014bc77975ff52fc025abc76fdb1ea9676d453eb096a4b89d0529c58ad
-
SHA512
e924178dd1dbc9e12582f2f0abc69d30ceca85c8add2fd009e55641d89b641a63cd65198b57949981f4b4005cfc1ea24ba57b1627926aed83bbfcbc4b576d86b
-
SSDEEP
12288:Wz5wtNkLsikaU8HHB7QZ4GXUgKwzDxyq/HEnfp3bonqAE:OLsTziUnfYq/kfpd
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7301432976:AAH31iVg7cEj_CK4xnKcLgyVuIYziQoJStE/sendMessage?chat_id=1182519128
Targets
-
-
Target
c8d4ad014bc77975ff52fc025abc76fdb1ea9676d453eb096a4b89d0529c58ad.exe
-
Size
550KB
-
MD5
93f4ebbd3bc337d1805105550286ebcb
-
SHA1
a5374ff40e11814b0b41398d88bbd8e9d0909012
-
SHA256
c8d4ad014bc77975ff52fc025abc76fdb1ea9676d453eb096a4b89d0529c58ad
-
SHA512
e924178dd1dbc9e12582f2f0abc69d30ceca85c8add2fd009e55641d89b641a63cd65198b57949981f4b4005cfc1ea24ba57b1627926aed83bbfcbc4b576d86b
-
SSDEEP
12288:Wz5wtNkLsikaU8HHB7QZ4GXUgKwzDxyq/HEnfp3bonqAE:OLsTziUnfYq/kfpd
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables with potential process hoocking
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-