General
-
Target
18012659320.zip
-
Size
522KB
-
Sample
240701-fprqrszgnm
-
MD5
269e46d97965ef7cbd0b7929c6f8de74
-
SHA1
bc961c25d69d688d1a5aa4175aad504bfc543a56
-
SHA256
7e079f82ebb90e7ef09c59a018e18b0947edb29c5d0f14d7c201d8e40ab6f29c
-
SHA512
751cc46ea4676b958b758ffc1499a707ba4e137be5f5a58619d21f18ff6447187f4a0bab8129aa1d816a3cd79ec75f5913f48ac256f9e9cb67b0fecded9ebff4
-
SSDEEP
12288:VLR4SWqqOyfj9uoRho7Yhxy9fFc59Bvp31+q6fJx58/1B6:VL2S7h2j8A8459BvV1zak1B6
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.artefes.com - Port:
587 - Username:
[email protected] - Password:
ArtEfes4765*+
Targets
-
-
Target
2ae74498a4bc05fa360233342c3652e7df4dc830e240e500ede97931a11e856e
-
Size
588KB
-
MD5
c1eedf3ba4f503e6649bca9ab5b4780f
-
SHA1
a0f9723e89487fd5ef2e305178814ad54b8bb319
-
SHA256
2ae74498a4bc05fa360233342c3652e7df4dc830e240e500ede97931a11e856e
-
SHA512
fe9add3112d842ea1992e0ef9a9f42cb393c2eee7bc274c53a27a3518856701eee0d194900d2f289a369b43a5237d38aaca2403e3de3619bcb13961b20237a65
-
SSDEEP
12288:XuH2jubCawVtC9zTQ0QHwose581Ok7/ys/FWY/T2/1bXc946mBUElkR:XuWUwVO3NOk7R/FJ/Gz/Y
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-