snakekeylogger | 67f3cc2b3a57590f2e4bb1e496a0b2d0da8cece64efc73da021c9c0bde2c6f9c | Triage

Submit
Reports

Overview

overview

Static

static

IMG_5371.EXE

windows7_x64

IMG_5371.EXE

windows10_x64

Sharing

General

Target

IMG_5371.EXE
Size

1.4MB
Sample

210122-79yqbaqya6
MD5

dab644bd40ca9f103fcbdd74ebe39a2d
SHA1

f3c2aacc1c81f58e9975f4e89fab04ebd1d87377
SHA256

67f3cc2b3a57590f2e4bb1e496a0b2d0da8cece64efc73da021c9c0bde2c6f9c
SHA512

2fd1b216531e27ab66ea47f51a9d58fcb5a342937109d07df881c346384e369835655bd6e2fcbe284a8fc72757542e446f495271c9df9c0533a22640f3d55ac0

Score

10^/10

snakekeylogger keylogger persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

IMG_5371.EXE

Resource

win7v20201028

snakekeylogger keylogger persistence ransomware spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

IMG_5371.EXE

Resource

win10v20201028

snakekeylogger keylogger persistence ransomware spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  IMG_5371.EXE
- Size
  
  1.4MB
- MD5
  
  dab644bd40ca9f103fcbdd74ebe39a2d
- SHA1
  
  f3c2aacc1c81f58e9975f4e89fab04ebd1d87377
- SHA256
  
  67f3cc2b3a57590f2e4bb1e496a0b2d0da8cece64efc73da021c9c0bde2c6f9c
- SHA512
  
  2fd1b216531e27ab66ea47f51a9d58fcb5a342937109d07df881c346384e369835655bd6e2fcbe284a8fc72757542e446f495271c9df9c0533a22640f3d55ac0
Score

10^/10

snakekeylogger keylogger persistence ransomware spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggerkeyloggerpersistenceransomwarespywarestealer

behavioral2

snakekeyloggerkeyloggerpersistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy