Overview

overview

10

Static

static

1

Attached c...on.rtf

windows7-x64

10

Attached c...on.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Attached customs declaration.doc

  • Size

    41KB

  • Sample

    230207-nmg3jsee9t

  • MD5

    59680eccd688d64167a1bfc0fbe26903

  • SHA1

    75667c6c9ba92fc48838b7f1ae3a667acc83a09d

  • SHA256

    29d5bd8a4fea152b457fdfedbe44b9cbce7d4ea5fe0c336310b4df15744dba4c

  • SHA512

    3168c4d4b3411a8cefcff01e5157603609b72be3d96f6e0fe5f1f27265af9a1cd1857af0e5dc0b0ef22fdbd4169a81bb44f346d87ff9c8a797ade4485e91f833

  • SSDEEP

    768:0Fx0XaIsnPRIa4fwJMKdrI6AsI2Yq6d9U7i/AmrjxcruGMbkL80+q:0f0Xvx3EM2ZAD2cd9U7mZjxcru4L+q

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Attached customs declaration.doc

    • Size

      41KB

    • MD5

      59680eccd688d64167a1bfc0fbe26903

    • SHA1

      75667c6c9ba92fc48838b7f1ae3a667acc83a09d

    • SHA256

      29d5bd8a4fea152b457fdfedbe44b9cbce7d4ea5fe0c336310b4df15744dba4c

    • SHA512

      3168c4d4b3411a8cefcff01e5157603609b72be3d96f6e0fe5f1f27265af9a1cd1857af0e5dc0b0ef22fdbd4169a81bb44f346d87ff9c8a797ade4485e91f833

    • SSDEEP

      768:0Fx0XaIsnPRIa4fwJMKdrI6AsI2Yq6d9U7i/AmrjxcruGMbkL80+q:0f0Xvx3EM2ZAD2cd9U7mZjxcru4L+q

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks