snakekeylogger | 21d2842bf7e9b12dec350a2fdb9a8185c3ec1e07d27d631e2ed5909065c22551 | Triage

Submit
Reports

Overview

overview

Static

static

file01.ps1

windows7-x64

file01.ps1

windows10-2004-x64

Sharing

General

Target

file01.ps1
Size

541KB
Sample

220930-3lch1afbb6
MD5

8b1e1389854e7efed04472288a9445d8
SHA1

9cb77f0e0e7c1276d684e88c384155ee9504fe1a
SHA256

21d2842bf7e9b12dec350a2fdb9a8185c3ec1e07d27d631e2ed5909065c22551
SHA512

2edc673d0df9933ce2f13f24e435edb743de5b334b5abbdfaa9ad3f63170643804c6ac945d5a98d4422ccbcd1abd039202cc94b3468c4f2919f0cda85061a926
SSDEEP

12288:vXi4xmh3fnwCiEgzChnmYyUX3EjZrk2SvvGrdKNOQCqe6d7:vXa7

Score

10^/10

snakekeylogger collection keylogger persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

file01.ps1

Resource

win7-20220901-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

file01.ps1

Resource

win10v2004-20220812-en

snakekeylogger collection keylogger persistence stealer

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Targets

- Target
  
  file01.ps1
- Size
  
  541KB
- MD5
  
  8b1e1389854e7efed04472288a9445d8
- SHA1
  
  9cb77f0e0e7c1276d684e88c384155ee9504fe1a
- SHA256
  
  21d2842bf7e9b12dec350a2fdb9a8185c3ec1e07d27d631e2ed5909065c22551
- SHA512
  
  2edc673d0df9933ce2f13f24e435edb743de5b334b5abbdfaa9ad3f63170643804c6ac945d5a98d4422ccbcd1abd039202cc94b3468c4f2919f0cda85061a926
- SSDEEP
  
  12288:vXi4xmh3fnwCiEgzChnmYyUX3EjZrk2SvvGrdKNOQCqe6d7:vXa7
Score

10^/10

persistence snakekeylogger collection keylogger stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Registers COM server for autorun
  persistence
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectionkeyloggerpersistencestealer

© 2018-2024

Terms | Privacy