snakekeylogger | fcc02541670447bb776ede3006c4e76673d9aff32b43cb1aac84be7fabb22e1b | Triage

Submit
Reports

Overview

overview

Static

static

ORDER SPEC...ONS.js

windows7_x64

ORDER SPEC...ONS.js

windows10-2004_x64

Sharing

General

Target

ORDER SPECIFICATIONS.js
Size

13KB
Sample

220627-jb73dabee6
MD5

5172ae9728cf8fb9710831dfc025d550
SHA1

935e844e4df5ee8f2278fb4dec87697bba026af0
SHA256

fcc02541670447bb776ede3006c4e76673d9aff32b43cb1aac84be7fabb22e1b
SHA512

9426c6f8786a0be2b708199059ddcc7c63e8fb0c4fdd70e53bd11e1e227101367b561216fedea28ac67fe714ab8e096c00cb4f241f6d72a3030a0363fad1eff7

Score

10^/10

snakekeylogger vjw0rm collection keylogger persistence stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

ORDER SPECIFICATIONS.js

Resource

win7-20220414-en

snakekeylogger vjw0rm collection keylogger persistence stealer trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ORDER SPECIFICATIONS.js

Resource

win10v2004-20220414-en

snakekeylogger vjw0rm collection keylogger persistence stealer trojan worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
amanis.xyz
Port:
587
Username:
makuku@amanis.xyz
Password:
uew393Sk#@
Email To:
mykolone19@gmail.com

C2

https://api.telegram.org/bot5196556125:AAHaAuii90DPE7rLAfYKDWEY1kyq32xbZU8/sendMessage?chat_id=1065258767

Targets

- Target
  
  ORDER SPECIFICATIONS.js
- Size
  
  13KB
- MD5
  
  5172ae9728cf8fb9710831dfc025d550
- SHA1
  
  935e844e4df5ee8f2278fb4dec87697bba026af0
- SHA256
  
  fcc02541670447bb776ede3006c4e76673d9aff32b43cb1aac84be7fabb22e1b
- SHA512
  
  9426c6f8786a0be2b708199059ddcc7c63e8fb0c4fdd70e53bd11e1e227101367b561216fedea28ac67fe714ab8e096c00cb4f241f6d72a3030a0363fad1eff7
Score

10^/10

snakekeylogger vjw0rm collection keylogger persistence stealer trojan worm
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggervjw0rmcollectionkeyloggerpersistencestealertrojanworm

behavioral2

snakekeyloggervjw0rmcollectionkeyloggerpersistencestealertrojanworm

© 2018-2024

Terms | Privacy