snakekeylogger | 7e47e3f0546d15968a9feab556f1b5630b2ede65a31db2e488c7a51e059ba280 | Triage

Submit
Reports

Overview

overview

Static

static

STOWAGE PLAN.xll

windows7_x64

7

STOWAGE PLAN.xll

windows10-2004_x64

Sharing

General

Target

STOWAGE PLAN.xll
Size

1.7MB
Sample

220704-wprzjaaegm
MD5

6ea1c38ca441834adead2a04cb8f5d8a
SHA1

c1fe55edbca69ee37a2378c957b9c0c1c85471d8
SHA256

7e47e3f0546d15968a9feab556f1b5630b2ede65a31db2e488c7a51e059ba280
SHA512

23eaf7841fa1b11d86a2e9ffc7874a669f4cd3bf68b4ecc03a7eb6a013dc5f2a6a62393f01f6bb4b4b2b72bddf908ca813ee26ae016a5e0fa662604a5a0736fe

Score

10^/10

snakekeylogger collection keylogger persistence stealer suricata

Static task

static1

Behavioral task

behavioral1

Sample

STOWAGE PLAN.xll

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

STOWAGE PLAN.xll

Resource

win10v2004-20220414-en

snakekeylogger collection keylogger persistence stealer suricata

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1897716112:AAEAtOCkOV8umHBB93Og24bkiIdUKReGK44/sendMessage?chat_id=1745211648

Targets

- Target
  
  STOWAGE PLAN.xll
- Size
  
  1.7MB
- MD5
  
  6ea1c38ca441834adead2a04cb8f5d8a
- SHA1
  
  c1fe55edbca69ee37a2378c957b9c0c1c85471d8
- SHA256
  
  7e47e3f0546d15968a9feab556f1b5630b2ede65a31db2e488c7a51e059ba280
- SHA512
  
  23eaf7841fa1b11d86a2e9ffc7874a669f4cd3bf68b4ecc03a7eb6a013dc5f2a6a62393f01f6bb4b4b2b72bddf908ca813ee26ae016a5e0fa662604a5a0736fe
Score

10^/10

snakekeylogger collection keylogger persistence stealer suricata
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectionkeyloggerpersistencestealersuricata

© 2018-2024

Terms | Privacy