snakekeylogger | 0174f2ae73de2c6555b520a69b0cc9cb910620252f699854c682bc188ffac4c9 | Triage

Submit
Reports

Overview

overview

Static

static

IMG-6661.doc.rtf

windows7_x64

IMG-6661.doc.rtf

windows10_x64

5

Sharing

General

Target

IMG-6661.doc
Size

920KB
Sample

210127-b81s94c5t6
MD5

6aad32d47dc65501a1ff04847f2217c5
SHA1

5b77e900f12c5ecb8500f32363d60b8fbbe6dbbb
SHA256

0174f2ae73de2c6555b520a69b0cc9cb910620252f699854c682bc188ffac4c9
SHA512

f376d2fca836b4cc98cac167c7fd15b8b7a135f9e390d9e7ab4c3659637ff8f3d9cb850b02d42214c789fadb305c2cf2b5f7846ab9806625413002c48eb6301c

Score

10^/10

snakekeylogger keylogger persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

IMG-6661.doc.rtf

Resource

win7v20201028

snakekeylogger keylogger persistence ransomware spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

IMG-6661.doc.rtf

Resource

win10v20201028

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  IMG-6661.doc
- Size
  
  920KB
- MD5
  
  6aad32d47dc65501a1ff04847f2217c5
- SHA1
  
  5b77e900f12c5ecb8500f32363d60b8fbbe6dbbb
- SHA256
  
  0174f2ae73de2c6555b520a69b0cc9cb910620252f699854c682bc188ffac4c9
- SHA512
  
  f376d2fca836b4cc98cac167c7fd15b8b7a135f9e390d9e7ab4c3659637ff8f3d9cb850b02d42214c789fadb305c2cf2b5f7846ab9806625413002c48eb6301c
Score

10^/10

snakekeylogger keylogger persistence ransomware spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

snakekeyloggerkeyloggerpersistenceransomwarespywarestealer

behavioral2

© 2018-2024

Terms | Privacy