snakekeylogger | 5193184cceeb7785142ebd8770280a449fbe811fcbdfa5c7672116e69f8897b6 | Triage

Submit
Reports

Overview

overview

Static

static

AWB DHL SH...CS.exe

windows7-x64

3

AWB DHL SH...CS.exe

windows10-2004-x64

Sharing

General

Target

AWB DHL SHIPMENT DOCS.exe
Size

16KB
Sample

220930-qf3f1seedq
MD5

e22a17f2fd4f98c0508f50b6ab8d1948
SHA1

6a185691aa74ed5f769c09faaa59d2f9ec5e04ac
SHA256

5193184cceeb7785142ebd8770280a449fbe811fcbdfa5c7672116e69f8897b6
SHA512

dde9660a4e3b6905833ac914b2ca3a2e400a00363b4dd1c46c2383c3461e1bbde016876f4c390272757ce629f07acbc1d189f98d86b70686c07ae8c65dfd7d89
SSDEEP

192:6Z+wT4vLHkLF5hyfC+M2oA9irN9hJethjFUTUQdIunJvTLq7BbVc2Nk9G74ldV7:6FPLF5hX+wc5ULdIuJ7m7hm2NCyQV

Score

10^/10

snakekeylogger collection keylogger persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

AWB DHL SHIPMENT DOCS.exe

Resource

win7-20220812-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

AWB DHL SHIPMENT DOCS.exe

Resource

win10v2004-20220812-en

snakekeylogger collection keylogger persistence stealer

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.stilltech.ro
Port:
587
Username:
[email protected]
Password:
eurobit555ro
Email To:
[email protected]

Targets

- Target
  
  AWB DHL SHIPMENT DOCS.exe
- Size
  
  16KB
- MD5
  
  e22a17f2fd4f98c0508f50b6ab8d1948
- SHA1
  
  6a185691aa74ed5f769c09faaa59d2f9ec5e04ac
- SHA256
  
  5193184cceeb7785142ebd8770280a449fbe811fcbdfa5c7672116e69f8897b6
- SHA512
  
  dde9660a4e3b6905833ac914b2ca3a2e400a00363b4dd1c46c2383c3461e1bbde016876f4c390272757ce629f07acbc1d189f98d86b70686c07ae8c65dfd7d89
- SSDEEP
  
  192:6Z+wT4vLHkLF5hyfC+M2oA9irN9hJethjFUTUQdIunJvTLq7BbVc2Nk9G74ldV7:6FPLF5hX+wc5ULdIuJ7m7hm2NCyQV
Score

10^/10

snakekeylogger collection keylogger persistence stealer
- Modifies WinLogon for persistence
  persistence
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectionkeyloggerpersistencestealer

© 2018-2024

Terms | Privacy