Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

IMG_50_78_63.xls
Size

167KB
Sample

210414-d7asnnvf2s
MD5

4c9d3db50cd58ec12305d904d2354f00
SHA1

b0a4028da497f94c3d00f0c44a60b40fc369d5bc
SHA256

fa0e9c96ef83963d0ab05d58302b13ac57356aed411562c71ef1812066e8ac97
SHA512

744fa49552e1cca5a0dc71da06d55f61a4f3380b61974e9306cfc79e91909169261b96e6ee3cc844df2e5e3354771e0468259f3522e21950e35397f0f9fb1a1e

Score

10^/10

snakekeylogger keylogger macro macro_on_action stealer xlm

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
nobettwo.xyz
Port:
587
Username:
folks@nobettwo.xyz
Password:
[FY$nv_Hp[H7

Targets

- Target
  
  IMG_50_78_63.xls
- Size
  
  167KB
- MD5
  
  4c9d3db50cd58ec12305d904d2354f00
- SHA1
  
  b0a4028da497f94c3d00f0c44a60b40fc369d5bc
- SHA256
  
  fa0e9c96ef83963d0ab05d58302b13ac57356aed411562c71ef1812066e8ac97
- SHA512
  
  744fa49552e1cca5a0dc71da06d55f61a4f3380b61974e9306cfc79e91909169261b96e6ee3cc844df2e5e3354771e0468259f3522e21950e35397f0f9fb1a1e
Score

10^/10

snakekeylogger keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

macroxlmmacro_on_action

behavioral1

snakekeyloggerkeyloggerstealer

behavioral2