Overview

overview

10

Static

static

1

FRA03202327.exe

windows7-x64

10

FRA03202327.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FRA03202327.rar

  • Size

    550KB

  • Sample

    230327-pzzc2afe6y

  • MD5

    963503ce0209c8634b0a10b33351f033

  • SHA1

    5f4124852d3fe47a7d5565d6c0e7fdd4ac4a68f2

  • SHA256

    7538b0de3fda6887fa9faa165bf19955c29841fda9a254cba8c7b2f93c9a1658

  • SHA512

    496326e45b4b5a66d9c6ced04989aad5033b9fe5923e0c9a37de00b7b048318774ad69bfa2d85ca8e94a5445ccb4deef48159cc1660f93f072a3cb9ce430721d

  • SSDEEP

    12288:wN5y35xG7Ic21G7sKprhfX07p11KnikN1wFLAQBoZ:wm5wCGIKprdXQp1UiGVZ

Score
10/10
guloadersnakekeyloggercollectiondownloaderkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.eversafe.pt
  • Port:
    587
  • Username:
    pulqueriamonteiro@eversafe.pt
  • Password:
    Ev3rsaf3_2021
  • Email To:
    frametime17@gmail.com

Targets

    • Target

      FRA03202327.exe

    • Size

      682KB

    • MD5

      a03f166e1ac1dbcd11eb8b38caa1cddd

    • SHA1

      da98430dcad69ec69931629ad0502b914118cea9

    • SHA256

      b6252d1920c72ca9a171d28353495c48cbd053bfe59d4a4fac747cead3b08aa8

    • SHA512

      76b61b043768c2d2ad19601e91d6013bbb4e4ede950b754b36bdfecddf3bcb842398c01bd5b2c377fc72d6b8527f02f27ae553f1ef132804312e96e2b0f1b851

    • SSDEEP

      12288:JMw4EAPcLq/BfWXbZsUBxKHSQBaAT3yZrn0aHDyq9DSXALFW0acaLUJ:JMwtAPcLq/ByNsQyBv3yBDyq0GR3J

    Score
    10/10
    guloadersnakekeyloggerdownloaderkeyloggerstealercollection

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks