Triage | Malware sandboxing report by Hatching Triage

Sharing

General

Target

PO_723_057_35.xls
Size

342KB
Sample

210414-ennhq9p5ea
MD5

f264b8c58febaa3f3eea9a8c83c78cbf
SHA1

36010881f4c3e15878bb3d5e76bc443d82827ebe
SHA256

db66b26d04c77e03bbf22957af34ba2b5817c397036ab8d4b7c222ec1b1ff40e
SHA512

a60be6e617f2704c3dfdc7bcc06e2426f5c52e56da447c92c94e1ce3d118c27b0ef180845557abf3c1d6a63de4f85b93c11eac06bb7bc51c17934406c797f912

Score

10^/10

snakekeylogger keylogger macro macro_on_action stealer xlm

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
janryone.xyz
Port:
587
Username:
lux@janryone.xyz
Password:
*sQwqe$]n1[z

Targets

- Target
  
  PO_723_057_35.xls
- Size
  
  342KB
- MD5
  
  f264b8c58febaa3f3eea9a8c83c78cbf
- SHA1
  
  36010881f4c3e15878bb3d5e76bc443d82827ebe
- SHA256
  
  db66b26d04c77e03bbf22957af34ba2b5817c397036ab8d4b7c222ec1b1ff40e
- SHA512
  
  a60be6e617f2704c3dfdc7bcc06e2426f5c52e56da447c92c94e1ce3d118c27b0ef180845557abf3c1d6a63de4f85b93c11eac06bb7bc51c17934406c797f912
Score

10^/10

snakekeylogger keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

static1

macroxlmmacro_on_action

behavioral1

snakekeyloggerkeyloggerstealer

behavioral2