Overview

overview

10

Static

static

1

170c0fb730...61.xls

windows7-x64

10

170c0fb730...61.xls

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    1bd3b6f065abfaa81547f1e18c0817cb.bin

  • Size

    1021KB

  • Sample

    230308-bc5dwacf6z

  • MD5

    e345aaa06cbf5ecbd4e2c021a036160c

  • SHA1

    eeb8878142bead2bc6949538ea983afe3f2e31a5

  • SHA256

    01479d81bd0ed46467c1858fa5746753bdfb5bb90ffd5fafc4be23e1d665e5fd

  • SHA512

    abb98aedd7d524d47d04eaa87e97023d8a00ef9d8bb2d07240cb44c77565d2697d4a41cc43f7096052a6dce5ff4dd50ee96398c6cb2c6126e7a540290cd8341f

  • SSDEEP

    24576:YB1HUNsqem1twkWGhYNsM3hxfutmRVvIiGv653q:k1HseiwkKNs+mt2VvIiGvI6

Score
10/10
snakekeyloggercollectionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5626646319:AAGzrhl4r5X2IjBi4BDIbDFXbwN0VIeCsvY/sendMessage?chat_id=5758197122

Targets

    • Target

      170c0fb730a8b383cb57487ae7614cfac311fb00c9d4577c66b0e9f0b6a29461.xls

    • Size

      1.2MB

    • MD5

      1bd3b6f065abfaa81547f1e18c0817cb

    • SHA1

      022eab00723f19fbe4ebad153e4d4455d3236a49

    • SHA256

      170c0fb730a8b383cb57487ae7614cfac311fb00c9d4577c66b0e9f0b6a29461

    • SHA512

      74c704262b4a1da9429be321b66ac7bb42334c0a52e56d9d3c06ce7236f5addd0906731fe923c6da6847535f7450fb31ba3366d29ab654de8172d5c91f7bee16

    • SSDEEP

      24576:8LKMBotHlxQWQmmav30xlBeYtHlxyWQmmav30xT6YEIzz68zy2W3Vs6Qz:8LKMc7lQmmQ30foG73QmmQ30Z6izy2W0

    Score
    10/10
    snakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks