snakekeylogger | bd91083ce01f04c11111c5c33b76552125e1961efbbe15010b1de43349a08843 | Triage

Submit
Reports

Overview

overview

Static

static

8

4c6e2dca5d...d2.xls

windows7_x64

4c6e2dca5d...d2.xls

windows10_x64

Sharing

General

Target

4c6e2dca5d80b3c2c6191266e3a07e5d668752d2.xls
Size

118KB
Sample

210624-58mrk793ba
MD5

4214df1ddc5e781bd44ae657284476b9
SHA1

4c6e2dca5d80b3c2c6191266e3a07e5d668752d2
SHA256

bd91083ce01f04c11111c5c33b76552125e1961efbbe15010b1de43349a08843
SHA512

00d945cf9d210c3b251351d6c6afd6ef9e50b873fe2f2e8da99cb41a79370a7ea7b02131ab4b081a332f732fb647484fd45cb988a0acd46195dac09db93c63a5

Score

10^/10

snakekeylogger keylogger macro macro_on_action spyware stealer xlm

Static task

static1

macro xlm macro_on_action

Behavioral task

behavioral1

Sample

4c6e2dca5d80b3c2c6191266e3a07e5d668752d2.xls

Resource

win7v20210408

snakekeylogger keylogger stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

4c6e2dca5d80b3c2c6191266e3a07e5d668752d2.xls

Resource

win10v20210410

spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://212.192.241.94/news/IMG_1081007003xls.exe

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
nobettwo.xyz
Port:
587
Username:
saturn1@nobettwo.xyz
Password:
O^1)7]oEv=*a

Targets

- Target
  
  4c6e2dca5d80b3c2c6191266e3a07e5d668752d2.xls
- Size
  
  118KB
- MD5
  
  4214df1ddc5e781bd44ae657284476b9
- SHA1
  
  4c6e2dca5d80b3c2c6191266e3a07e5d668752d2
- SHA256
  
  bd91083ce01f04c11111c5c33b76552125e1961efbbe15010b1de43349a08843
- SHA512
  
  00d945cf9d210c3b251351d6c6afd6ef9e50b873fe2f2e8da99cb41a79370a7ea7b02131ab4b081a332f732fb647484fd45cb988a0acd46195dac09db93c63a5
Score

10^/10

snakekeylogger keylogger stealer spyware
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

macroxlmmacro_on_action

behavioral1

snakekeyloggerkeyloggerstealer

behavioral2

© 2018-2024

Terms | Privacy