snakekeylogger | c18a8f9b247d1af804f7deb0e94fd9e853f760e27bdab7b39aceb17b12e90954 | Triage

Submit
Reports

Overview

overview

Static

static

IMG_0661.doc

windows7_x64

IMG_0661.doc

windows10_x64

1

Resubmissions

19-01-2021 16:35

210119-f4jb7cdzrs 10

Sharing

General

Target

IMG_0661.doc
Size

720KB
Sample

210119-f4jb7cdzrs
MD5

1cc97f80c8e2b8c63dcced418802f05d
SHA1

ea7a55042caf762d2ef656a4395b6abe09f57644
SHA256

c18a8f9b247d1af804f7deb0e94fd9e853f760e27bdab7b39aceb17b12e90954
SHA512

dd4a8a478704fb433e0c27972ceb1e128885994058a313eb0a5b5687b7b948a97261f1d237dc455ab1575b5808dc82eb5b50c2219f9fe3a6f3d80f841ee45d6f

Score

10^/10

snakekeylogger keylogger persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

IMG_0661.doc

Resource

win7v20201028

snakekeylogger keylogger persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

IMG_0661.doc

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  IMG_0661.doc
- Size
  
  720KB
- MD5
  
  1cc97f80c8e2b8c63dcced418802f05d
- SHA1
  
  ea7a55042caf762d2ef656a4395b6abe09f57644
- SHA256
  
  c18a8f9b247d1af804f7deb0e94fd9e853f760e27bdab7b39aceb17b12e90954
- SHA512
  
  dd4a8a478704fb433e0c27972ceb1e128885994058a313eb0a5b5687b7b948a97261f1d237dc455ab1575b5808dc82eb5b50c2219f9fe3a6f3d80f841ee45d6f
Score

10^/10

snakekeylogger keylogger persistence spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggerkeyloggerpersistencespywarestealer

behavioral2

© 2018-2024

Terms | Privacy