Overview

overview

10

Static

static

Purchase order.VBS

windows7_x64

10

Purchase order.VBS

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase order.zip

  • Size

    916B

  • Sample

    211021-xant1aafc5

  • MD5

    aa55e24d0f0ed900817fdb2ff0f57f53

  • SHA1

    2f0ea8b2f576f8c0fd139ffe93d87e588eaba4ae

  • SHA256

    df6411dba3e979035e8a216d9e50972f5934de768f905b40068b1049db365ee3

  • SHA512

    3b2bced17abcd7c807c94f5e7d14457bc5b048daf8ce085fd293f18a6827fd7c5b2ad2e33fde74b1a6e9eae66140da394bf1d9c47ca3bddf8ffd8ff49a4cfe55

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.live.com
  • Port:
    587
  • Username:
    deniyi334@hotmail.com
  • Password:
    shitturilwan334

Targets

    • Target

      Purchase order.VBS

    • Size

      2KB

    • MD5

      551fde9593f19dc3fd9cc79f7f08e4cb

    • SHA1

      2a57ca45c2720dd7e08cc0e2b6ced80a782c54b3

    • SHA256

      b5fe0465468c4e7db32ba8d57f8d857a03b6e0a905d91627fb76e32aed85a4e1

    • SHA512

      0238490e34b40a54806fb5ccab60d241ac997209324c76aeddec7636a91f67ce9a278b636445ed33d4ebfb2042c9e5d8080438b4ed3b7ea74d49d1fddccb7b21

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks