snakekeylogger | 777f7cc25c596f6617f5750b2ef83ab0c5b439fac67153224290e83aceca9214 | Triage

Submit
Reports

Overview

overview

Static

static

Purchase O...oc.rtf

windows7_x64

Purchase O...oc.rtf

windows10_x64

1

Sharing

General

Target

Purchase Order From Hanon systems Ltd.doc
Size

1.2MB
Sample

210419-57z333bc86
MD5

d9a7f66522882d74a20738f1c3d2681f
SHA1

b5a13dea22b2da04d1147c292f1f8d8ac39d777d
SHA256

777f7cc25c596f6617f5750b2ef83ab0c5b439fac67153224290e83aceca9214
SHA512

74f5ea5ee011c243fed3d94f15382e51e09705ac890767e11954978e5b81d56c2f9d233fb59052d2828516dd50e919355a51af134179ad392bb14f6c43eac916

Score

10^/10

snakekeylogger keylogger persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

Purchase Order From Hanon systems Ltd.doc.rtf

Resource

win7v20210410

snakekeylogger keylogger persistence stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Purchase Order From Hanon systems Ltd.doc.rtf

Resource

win10v20210410

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
nobettwo.xyz
Port:
587
Username:
[email protected]
Password:
O^1)7]oEv=*a

Targets

- Target
  
  Purchase Order From Hanon systems Ltd.doc
- Size
  
  1.2MB
- MD5
  
  d9a7f66522882d74a20738f1c3d2681f
- SHA1
  
  b5a13dea22b2da04d1147c292f1f8d8ac39d777d
- SHA256
  
  777f7cc25c596f6617f5750b2ef83ab0c5b439fac67153224290e83aceca9214
- SHA512
  
  74f5ea5ee011c243fed3d94f15382e51e09705ac890767e11954978e5b81d56c2f9d233fb59052d2828516dd50e919355a51af134179ad392bb14f6c43eac916
Score

10^/10

snakekeylogger keylogger persistence stealer
- Modifies WinLogon for persistence
  persistence
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggerkeyloggerpersistencestealer

behavioral2

© 2018-2024

Terms | Privacy