snakekeylogger | 915ed58984f946bee7b46fd8d6a4cc81e4d7edbd6f2c52a7d0f0f0945140d23b | Triage

Submit
Reports

Overview

overview

Static

static

PO2491039385.js

windows7_x64

PO2491039385.js

windows10_x64

Sharing

General

Target

PO2491039385.js
Size

536KB
Sample

211214-s3715aghgp
MD5

e09294b9ca51300793673da85e23fa34
SHA1

46715b9d35152983bd452eb6bf65c588b36a7ab1
SHA256

915ed58984f946bee7b46fd8d6a4cc81e4d7edbd6f2c52a7d0f0f0945140d23b
SHA512

9d5c7dcb626c7cdb9ab7bab3d73d144b8494aac1561b2b83237007486f03404bb73e539b6847fa1ec12a04e8c5448eaaa346c4d3137b2614416a95337ca081b4

Score

10^/10

snakekeylogger vjw0rm collection keylogger persistence spyware stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

PO2491039385.js

Resource

win7-en-20211208

snakekeylogger vjw0rm collection keylogger persistence spyware stealer trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PO2491039385.js

Resource

win10-en-20211208

snakekeylogger vjw0rm keylogger persistence stealer trojan worm

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
success21

Extracted

Family

vjw0rm

C2

http://myroyailrubin2019.duia.ro:7974

Targets

- Target
  
  PO2491039385.js
- Size
  
  536KB
- MD5
  
  e09294b9ca51300793673da85e23fa34
- SHA1
  
  46715b9d35152983bd452eb6bf65c588b36a7ab1
- SHA256
  
  915ed58984f946bee7b46fd8d6a4cc81e4d7edbd6f2c52a7d0f0f0945140d23b
- SHA512
  
  9d5c7dcb626c7cdb9ab7bab3d73d144b8494aac1561b2b83237007486f03404bb73e539b6847fa1ec12a04e8c5448eaaa346c4d3137b2614416a95337ca081b4
Score

10^/10

snakekeylogger vjw0rm collection keylogger persistence spyware stealer trojan worm
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Executes dropped EXE
- Drops startup file
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggervjw0rmcollectionkeyloggerpersistencespywarestealertrojanworm

behavioral2

snakekeyloggervjw0rmkeyloggerpersistencestealertrojanworm

© 2018-2024

Terms | Privacy