snakekeylogger | c7a282bb4bc111616da14a7f6bac27b0b7c7437156a7992382dc695f50d6300a | Triage

Submit
Reports

Overview

overview

Static

static

1

DE ADEUDO ...at.exe

windows7-x64

DE ADEUDO ...at.exe

windows10-2004-x64

7

Sharing

General

Target

DE ADEUDO EL 04.04.2023.bat.exe
Size

625KB
Sample

230328-rp5heabe46
MD5

c5a9119a67c1d429e3af9418735aa919
SHA1

f7c44b5a96bab809aa91d1fc0f32f5db41eac106
SHA256

c7a282bb4bc111616da14a7f6bac27b0b7c7437156a7992382dc695f50d6300a
SHA512

5bf05793815f510ac70b9386bcb1c3b36f42f5dc6693319eb8b34474744f43a8ba38510feeb52a4d5b4adda021cbdb0b279fb728042eb3efba9f1d3da6ac86f3
SSDEEP

6144:sMm4CCHM4NL26fgvKOXB9CXSjdtoXtRl1b/zMehiHoBik4K2y9ah:sMwg/NL26fgvPcKdtodnBAe5L9ah

Score

10^/10

snakekeylogger keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

DE ADEUDO EL 04.04.2023.bat.exe

Resource

win7-20230220-en

snakekeylogger keylogger stealer

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

DE ADEUDO EL 04.04.2023.bat.exe

Resource

win10v2004-20230220-en

windows10-2004-x64

2 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.eversafe.pt
Port:
587
Username:
pulqueriamonteiro@eversafe.pt
Password:
Ev3rsaf3_2021
Email To:
rolandvirus66@gmail.com

Targets

- Target
  
  DE ADEUDO EL 04.04.2023.bat.exe
- Size
  
  625KB
- MD5
  
  c5a9119a67c1d429e3af9418735aa919
- SHA1
  
  f7c44b5a96bab809aa91d1fc0f32f5db41eac106
- SHA256
  
  c7a282bb4bc111616da14a7f6bac27b0b7c7437156a7992382dc695f50d6300a
- SHA512
  
  5bf05793815f510ac70b9386bcb1c3b36f42f5dc6693319eb8b34474744f43a8ba38510feeb52a4d5b4adda021cbdb0b279fb728042eb3efba9f1d3da6ac86f3
- SSDEEP
  
  6144:sMm4CCHM4NL26fgvKOXB9CXSjdtoXtRl1b/zMehiHoBik4K2y9ah:sMwg/NL26fgvPcKdtodnBAe5L9ah
Score

10^/10

snakekeylogger keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

snakekeyloggerkeyloggerstealer

behavioral2

© 2018-2024

Terms | Privacy