Overview

overview

10

Static

static

f7d0c1c7c1...in.exe

windows7_x64

10

f7d0c1c7c1...in.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    w9lpb7.zip

  • Size

    590KB

  • Sample

    210616-aa3vpdjgx2

  • MD5

    a050785f4c35ba1f8dfe632e598d2e7e

  • SHA1

    c90ac93b096c9859fa6ca4d20005cc5f98b8e915

  • SHA256

    e376ca22d92fb2bab636451c9c0afc87a7a527c1a3b7d972d12c7b1ec7c4f4e8

  • SHA512

    e48b2d5c440529284069e1516be2d7f35d68926bd35f782c5b8ba2f1ba74e44ce4928a7929e762e6818cab3b582dc0c6383ce0c3ae9be56622e1ced958815153

Score
10/10
snakekeyloggerevasionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.manavgatgida.com
  • Port:
    587
  • Username:
    zehrasirin@manavgatgida.com
  • Password:
    07Manav07Gat...

Targets

    • Target

      f7d0c1c7c1f49cc0d92ea2ef73a4532066f4fb00674b3fe7942e54b9c08d7c77.bin

    • Size

      776KB

    • MD5

      2181a8578264b7ae0ea6723610c904c4

    • SHA1

      793e7ec3a2f6e4cd2b5157571a010b622f6c6954

    • SHA256

      f7d0c1c7c1f49cc0d92ea2ef73a4532066f4fb00674b3fe7942e54b9c08d7c77

    • SHA512

      a57bfdb187ed6d5dfb8f5d648d0a56c92ea8301c65c72951c880e2d32ded516d713ecd6f3c84623c6e0a1d5aa45e07a20425aedc2c55b2f9a9ecda17a40de7cc

    Score
    10/10
    snakekeyloggerevasionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks