snakekeylogger | 4cb618534fc8ab2da4a319613792a5cb456d937e6030a3647fef7666aedaefb6 | Triage

Submit
Reports

Overview

overview

Static

static

CHIKWA (2).exe

windows7_x64

CHIKWA (2).exe

windows10_x64

Sharing

General

Target

CHIKWA (2).exe
Size

102KB
Sample

210201-n7vth7tsda
MD5

f9ed1a27fe500e855fb838425b5f70ac
SHA1

a7ed0dcf25f7da103f484840bece749b22d1e1d7
SHA256

4cb618534fc8ab2da4a319613792a5cb456d937e6030a3647fef7666aedaefb6
SHA512

7070502bf6b0f531cc6dc4665f2f95f7f2380a7833e3fabd15e440fab2c9bde32d3e503e82edd4021b1be9303aa770f66e7323d10af627b426d986fa7b88cc6b

Score

10^/10

snakekeylogger keylogger persistence spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

CHIKWA (2).exe

Resource

win7v20201028

snakekeylogger keylogger persistence spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

CHIKWA (2).exe

Resource

win10v20201028

snakekeylogger keylogger persistence spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  CHIKWA (2).exe
- Size
  
  102KB
- MD5
  
  f9ed1a27fe500e855fb838425b5f70ac
- SHA1
  
  a7ed0dcf25f7da103f484840bece749b22d1e1d7
- SHA256
  
  4cb618534fc8ab2da4a319613792a5cb456d937e6030a3647fef7666aedaefb6
- SHA512
  
  7070502bf6b0f531cc6dc4665f2f95f7f2380a7833e3fabd15e440fab2c9bde32d3e503e82edd4021b1be9303aa770f66e7323d10af627b426d986fa7b88cc6b
Score

10^/10

snakekeylogger keylogger persistence spyware stealer
- Modifies WinLogon for persistence
  persistence
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Drops startup file
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggerkeyloggerpersistencespywarestealer

behavioral2

snakekeyloggerkeyloggerpersistencespywarestealer

© 2018-2024

Terms | Privacy