snakekeylogger | ad732770d35cd2619b05588bc0f016e3015cd45ed5e97dd5b61eb61acd4c1e88 | Triage

Submit
Reports

Overview

overview

Static

static

ae49324027...04.pps

windows10-2004-x64

Resubmissions

30-09-2022 23:49

220930-3vf8jsfbd3 10

30-09-2022 23:05

220930-23cdwsgahq 10

Sharing

General

Target

ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04.zip
Size

16KB
Sample

220930-3vf8jsfbd3
MD5

2ada0f10773efb6a25b3be1dd1326c68
SHA1

998a622a13f23a8cc5c4195c731fe1c032352f7a
SHA256

ad732770d35cd2619b05588bc0f016e3015cd45ed5e97dd5b61eb61acd4c1e88
SHA512

dfffe9af22d945cd42ce584cf94e0a4eda1f1ae3dcc7c8c96e95237304c14871267cfe4110f71045c61b8b74d44aa2f4775c7c114a5b8da851ab14cdff611498
SSDEEP

384:CZ9cuOUI95mhREa4Kkwmcd/4tWlr9clyZ7n:MaF9kREaZkTKAg0yhn

Score

10^/10

snakekeylogger collection keylogger persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04.pps

Resource

win10v2004-20220812-en

snakekeylogger collection keylogger persistence stealer

windows10-2004-x64

21 signatures

1800 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt

Targets

- Target
  
  ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04.ppt
- Size
  
  102KB
- MD5
  
  b47c0f0957935cfc3c27337b8f117d75
- SHA1
  
  1228ae88cfc7a2a80506cd2e4fb14f22a5f8d76c
- SHA256
  
  ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04
- SHA512
  
  208edf3bf8dfb38d738a86db7a240c0ad985ed14b8f58435bcd945d4ca7904469c60bdcb3fb53f91d9f8d91d47c68b5ef26941b44cdb986959cc9e59e907e50e
- SSDEEP
  
  768:kf9BcTRDkSIOd0Xg4JbvsyEVK3/L1U82cY3/A5jEcjo:kutY1OmvsyEVKvL1U0WA5js
Score

10^/10

snakekeylogger collection keylogger persistence stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Blocklisted process makes network request
- Registers COM server for autorun
  persistence
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

snakekeyloggercollectionkeyloggerpersistencestealer

© 2018-2024

Terms | Privacy