snakekeylogger | 55b85c50614dc59af0cca5ed20dc7713f784b70b16f65fa01163e48ec006be57 | Triage

Submit
Reports

Overview

overview

Static

static

9

customer T...T).exe

windows7_x64

customer T...T).exe

windows10_x64

Sharing

General

Target

customer Telex Transfer(TT).exe
Size

238KB
Sample

210130-wqsl7c5dhe
MD5

bbc7dfecb58d2fbbd51be0979963c3b0
SHA1

234fae4457a9b589f3b7cf783617494787911e26
SHA256

55b85c50614dc59af0cca5ed20dc7713f784b70b16f65fa01163e48ec006be57
SHA512

0986ed7c11375b385f9af58193e00a7dedbc58be29d28ec06c936ba3742fc7f4bb9e79375e3056d90d6f0efb0140c58af841ac522162ab901be49c3081756380

Score

10^/10

snakekeylogger keylogger persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

customer Telex Transfer(TT).exe

Resource

win7v20201028

snakekeylogger keylogger persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

customer Telex Transfer(TT).exe

Resource

win10v20201028

snakekeylogger keylogger persistence spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  customer Telex Transfer(TT).exe
- Size
  
  238KB
- MD5
  
  bbc7dfecb58d2fbbd51be0979963c3b0
- SHA1
  
  234fae4457a9b589f3b7cf783617494787911e26
- SHA256
  
  55b85c50614dc59af0cca5ed20dc7713f784b70b16f65fa01163e48ec006be57
- SHA512
  
  0986ed7c11375b385f9af58193e00a7dedbc58be29d28ec06c936ba3742fc7f4bb9e79375e3056d90d6f0efb0140c58af841ac522162ab901be49c3081756380
Score

10^/10

snakekeylogger keylogger persistence spyware stealer
- Modifies WinLogon for persistence
  persistence
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Beds Protector Packer
  Detects Beds Protector packer used to load .NET malware.
- Drops startup file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggerkeyloggerpersistencespywarestealer

behavioral2

snakekeyloggerkeyloggerpersistencespywarestealer

© 2018-2024

Terms | Privacy