snakekeylogger | bf627f5a302ee1d209cdf256611c9086d2fc87b5ba42cd20704ba90d64555d2a

General

Target

PROFORMA INVOICE.zip
Size

13KB
Sample

210226-pl45kvymes
MD5

e8ebb6aa34f433dd1e599805585ab1ac
SHA1

588b5cdf3cf77b3279a91619a5210c2db94dfa49
SHA256

bf627f5a302ee1d209cdf256611c9086d2fc87b5ba42cd20704ba90d64555d2a
SHA512

db957f6cfa5ca1e4421ff10855fb94f2967fc9a572a881588beb0a1b9c48d3fb5a4e899378f19294aad223d01868d627bb148fd0329518b3198ac2538e0c8fd3

Score

10^/10

Malware Config

Targets

- Target
  
  PROFORMA INVOICE.scr
- Size
  
  22KB
- MD5
  
  4480e5c41df955746e6b762828e64ddb
- SHA1
  
  75fd2876572e72da98a99065152c338f935d722f
- SHA256
  
  98bba6280dc438b35e3d0a4f468d1e50dd44bdafdd3e8c396a6dacf6be50fd71
- SHA512
  
  92db76915c468ab2e3a1185b3ee5a0d8849bfb623e5bfdf0fa128a002b16e768097b9440c905a4cb38b70aee9b36c21ce2db57f150f93fc5845ff5f667957a41
Score

10^/10

snakekeylogger evasion keylogger stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Nirsoft
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Disabling Security Tools

4

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Targets

Modifies Windows Defender Real-time Protection settings

Snake Keylogger

Snake Keylogger Payload

Turns off Windows Defender SpyNet reporting

Windows security bypass

Nirsoft

Executes dropped EXE

Loads dropped DLL

Windows security modification

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2