snakekeylogger | 1b610303b3b37043421130f30b024aaff816b8f8de214a98e7d1ea1b6197e8ed | Triage

Submit
Reports

Overview

overview

Static

static

ae49324027...04.pps

windows7-x64

ae49324027...04.pps

windows10-2004-x64

Sharing

General

Target

8083596121.zip
Size

17KB
Sample

220930-rtesjsefhq
MD5

2e238f7fd5a3e1cc0adc5353e28693f4
SHA1

53a4823b8476bba58f3c26da8a9295bf61d7492b
SHA256

1b610303b3b37043421130f30b024aaff816b8f8de214a98e7d1ea1b6197e8ed
SHA512

99d7b6ef8e191753ee7dbfaaefd1c9fb8d9c40dade89f077736dea1da8aa42b56987ab4627f3a575cacd7c9180c0c0c58aa7c94d02466bdb4ed2df240cffd128
SSDEEP

384:Dwl8DznTymTriUvjkMOe2NsH3ErKr7Ycvh3GLjWNgnjojBjinJ:vzLTPZl240rtIhWPWNWjSjYJ

Score

10^/10

snakekeylogger collection keylogger persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04.pps

Resource

win7-20220812-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04.pps

Resource

win10v2004-20220812-en

snakekeylogger collection keylogger persistence stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt

Targets

- Target
  
  ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04
- Size
  
  102KB
- MD5
  
  b47c0f0957935cfc3c27337b8f117d75
- SHA1
  
  1228ae88cfc7a2a80506cd2e4fb14f22a5f8d76c
- SHA256
  
  ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04
- SHA512
  
  208edf3bf8dfb38d738a86db7a240c0ad985ed14b8f58435bcd945d4ca7904469c60bdcb3fb53f91d9f8d91d47c68b5ef26941b44cdb986959cc9e59e907e50e
- SSDEEP
  
  768:kf9BcTRDkSIOd0Xg4JbvsyEVK3/L1U82cY3/A5jEcjo:kutY1OmvsyEVKvL1U0WA5js
Score

10^/10

snakekeylogger collection keylogger persistence stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Blocklisted process makes network request
- Registers COM server for autorun
  persistence
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

snakekeyloggercollectionkeyloggerpersistencestealer

© 2018-2024

Terms | Privacy