snakekeylogger | 54ff9c472be10b924ae15c252e08bb870e1a1cf8361a00b74cc0d03113dd6e54 | Triage

Submit
Reports

Overview

overview

Static

static

8

Sample_030...8.xlsm

windows7_x64

Sample_030...8.xlsm

windows10_x64

Sharing

General

Target

Sample_03018200_ISO_03512328.xlsm
Size

389KB
Sample

211025-pzphtsgbe7
MD5

02c95603229648cdcc202dbfcb0986d1
SHA1

3e54ebf74799844c8de1922c5cd4b60f1d8c0340
SHA256

54ff9c472be10b924ae15c252e08bb870e1a1cf8361a00b74cc0d03113dd6e54
SHA512

5c714532a453ace9c32662acbe9872a670946ef3bca244226f48d882737424a3c9561b11f2ad8b9241c64ed1d48f007b60423043b7c973df80767715f9e9b3ee

Score

10^/10

snakekeylogger collection keylogger macro stealer

Static task

static1

Behavioral task

behavioral1

Sample

Sample_03018200_ISO_03512328.xlsm

Resource

win7-en-20211014

snakekeylogger collection keylogger stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Sample_03018200_ISO_03512328.xlsm

Resource

win10-en-20211014

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://18.159.149.5/nbl/joy/1-1/Sample_03018200_ISO_03512328.exe

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
efinancet.shop
Port:
587
Username:
mortgage@efinancet.shop
Password:
SU^QlsaPg%E#

Targets

- Target
  
  Sample_03018200_ISO_03512328.xlsm
- Size
  
  389KB
- MD5
  
  02c95603229648cdcc202dbfcb0986d1
- SHA1
  
  3e54ebf74799844c8de1922c5cd4b60f1d8c0340
- SHA256
  
  54ff9c472be10b924ae15c252e08bb870e1a1cf8361a00b74cc0d03113dd6e54
- SHA512
  
  5c714532a453ace9c32662acbe9872a670946ef3bca244226f48d882737424a3c9561b11f2ad8b9241c64ed1d48f007b60423043b7c973df80767715f9e9b3ee
Score

10^/10

snakekeylogger collection keylogger stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggercollectionkeyloggerstealer

behavioral2

© 2018-2024

Terms | Privacy