Overview

overview

10

Static

static

3

MV GOLDEN SCHULTE.exe

windows7-x64

10

MV GOLDEN SCHULTE.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MV GOLDEN SCHULTE.exe

  • Size

    521KB

  • Sample

    240626-fsy91swhph

  • MD5

    cb45d49e68b2c594f6c9bcf7edd6481a

  • SHA1

    fa05b81dc9b816e4e8dd51349271e8af273b799b

  • SHA256

    771049ea28dc7d93076d1019ff573d8ad9a8c47ca8dec2a8c64be18aec259d03

  • SHA512

    8538a493ead6c65d2aac98c9b56b53b152e0c1699b88b239597ca16173a6980cc862bdba596807d36075befce7a7e6cf8d3baf2218ecd3a0c95e072f594af695

  • SSDEEP

    6144:cTVFZInd6Xcfg9UVFuVqsLSccPNJcnkhcYlEHNLpKJjPh2Lu2GyfyRUoXHO8cZlJ:c5kndm7/L2Pd2WyfyFXH5sJQniP

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    valleycountysar.org
  • Port:
    26
  • Username:
    [email protected]
  • Password:
    fY,FLoadtsiF

Targets

    • Target

      MV GOLDEN SCHULTE.exe

    • Size

      521KB

    • MD5

      cb45d49e68b2c594f6c9bcf7edd6481a

    • SHA1

      fa05b81dc9b816e4e8dd51349271e8af273b799b

    • SHA256

      771049ea28dc7d93076d1019ff573d8ad9a8c47ca8dec2a8c64be18aec259d03

    • SHA512

      8538a493ead6c65d2aac98c9b56b53b152e0c1699b88b239597ca16173a6980cc862bdba596807d36075befce7a7e6cf8d3baf2218ecd3a0c95e072f594af695

    • SSDEEP

      6144:cTVFZInd6Xcfg9UVFuVqsLSccPNJcnkhcYlEHNLpKJjPh2Lu2GyfyRUoXHO8cZlJ:c5kndm7/L2Pd2WyfyFXH5sJQniP

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks