snakekeylogger | cc785844aa61ae5652734930dfef36fc46d8cb9c6249df255e922c1f72fc14dd | Triage

Submit
Reports

Overview

overview

Static

static

VESSEL PAR...RS.xll

windows7_x64

7

VESSEL PAR...RS.xll

windows10-2004_x64

Sharing

General

Target

VESSEL PARTICULARS.xls
Size

610KB
Sample

220706-kwef8scgg5
MD5

ad8cc75758a717283e2a9efa9e7fae6f
SHA1

37599d8c64972f8e296857cb58084139c162b6f4
SHA256

cc785844aa61ae5652734930dfef36fc46d8cb9c6249df255e922c1f72fc14dd
SHA512

c8d36e5ef3f378fbb7ee1554db32f4c6e2f9d0f67c96019a8b5463af61d83ab3ce5fed8b7c87d29ac3b202473388211cb40a19dfe7a5052976101bf4961891d0

Score

10^/10

snakekeylogger collection keylogger persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

VESSEL PARTICULARS.xll

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

VESSEL PARTICULARS.xll

Resource

win10v2004-20220414-en

snakekeylogger collection keylogger persistence stealer

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1897716112:AAEAtOCkOV8umHBB93Og24bkiIdUKReGK44/sendMessage?chat_id=1745211648

Targets

- Target
  
  VESSEL PARTICULARS.xls
- Size
  
  610KB
- MD5
  
  ad8cc75758a717283e2a9efa9e7fae6f
- SHA1
  
  37599d8c64972f8e296857cb58084139c162b6f4
- SHA256
  
  cc785844aa61ae5652734930dfef36fc46d8cb9c6249df255e922c1f72fc14dd
- SHA512
  
  c8d36e5ef3f378fbb7ee1554db32f4c6e2f9d0f67c96019a8b5463af61d83ab3ce5fed8b7c87d29ac3b202473388211cb40a19dfe7a5052976101bf4961891d0
Score

10^/10

snakekeylogger collection keylogger persistence stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectionkeyloggerpersistencestealer

© 2018-2024

Terms | Privacy