Overview

overview

10

Static

static

doc2019291...df.exe

windows7_x64

10

doc2019291...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    doc2019291888001990.pdf.exe

  • Size

    476KB

  • Sample

    220704-jcdj6afcfn

  • MD5

    886ff484cf96959a78f2b45d42a8cb2e

  • SHA1

    95e00817055aa3e802e02fa95cb6176a2e12b04c

  • SHA256

    fa23336b3edcffd21b29e5873ca7775cd5b09026e93459792438c345c7ee39df

  • SHA512

    fae192354c3b5984a2d1e45e93d65370f25a608ee2410ba9ce33bcd763f50db7243b4021b9cb962f1e7d2a88dba37267ca7efb2c18c3007393020a86bb0ec679

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5468731092:AAGGNQWBVRhX622u6xp1moMhaunIGtXuIxg/sendMessage?chat_id=1639214896

Targets

    • Target

      doc2019291888001990.pdf.exe

    • Size

      476KB

    • MD5

      886ff484cf96959a78f2b45d42a8cb2e

    • SHA1

      95e00817055aa3e802e02fa95cb6176a2e12b04c

    • SHA256

      fa23336b3edcffd21b29e5873ca7775cd5b09026e93459792438c345c7ee39df

    • SHA512

      fae192354c3b5984a2d1e45e93d65370f25a608ee2410ba9ce33bcd763f50db7243b4021b9cb962f1e7d2a88dba37267ca7efb2c18c3007393020a86bb0ec679

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger Payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks