snakekeylogger | 9dcb7d8c883fea91934040f7249a70f39aad7e75345a3e13ad06d14399153df1 | Triage

Submit
Reports

Overview

overview

Static

static

3

Purchase O...DF.exe

windows7-x64

Purchase O...DF.exe

windows10-2004-x64

Sharing

General

Target

Purchase Order 0620.PDF.exe
Size

1.4MB
Sample

230602-qkhbmsbh8w
MD5

ce21d87f567ceca173a92c5a1b3ba148
SHA1

18d4d80d666d92644268f80e9eaa7946f399d44d
SHA256

9dcb7d8c883fea91934040f7249a70f39aad7e75345a3e13ad06d14399153df1
SHA512

6961ce4d1d2a301ac131f2dd81150b743b4e38b2e3cd8b31c8e9d251368e97f730a01f92e708183fd8009fe9037f2d9432c869effc31a91f34136c7e772298f0
SSDEEP

24576:lTbBv5rUFcDvfTPmHkTD4jLfgoPS+O6ZNqmSEF9SvXeMi0j8x+B5A4d7UGOQ8Oxv:PBHnTOHk30LfBP/ZcmSvXeMdj8xyxb/d

Score

10^/10

snakekeylogger stormkitty collection keylogger persistence spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Purchase Order 0620.PDF.exe

Resource

win7-20230220-en

snakekeylogger stormkitty collection keylogger persistence spyware stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Purchase Order 0620.PDF.exe

Resource

win10v2004-20230220-en

snakekeylogger stormkitty collection keylogger persistence spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5553654095:AAFY7fGm3A2NSyoJOWhzq_VfL3zRwqCo4Ow/sendMessage?chat_id=6183982484

Targets

- Target
  
  Purchase Order 0620.PDF.exe
- Size
  
  1.4MB
- MD5
  
  ce21d87f567ceca173a92c5a1b3ba148
- SHA1
  
  18d4d80d666d92644268f80e9eaa7946f399d44d
- SHA256
  
  9dcb7d8c883fea91934040f7249a70f39aad7e75345a3e13ad06d14399153df1
- SHA512
  
  6961ce4d1d2a301ac131f2dd81150b743b4e38b2e3cd8b31c8e9d251368e97f730a01f92e708183fd8009fe9037f2d9432c869effc31a91f34136c7e772298f0
- SSDEEP
  
  24576:lTbBv5rUFcDvfTPmHkTD4jLfgoPS+O6ZNqmSEF9SvXeMi0j8x+B5A4d7UGOQ8Oxv:PBHnTOHk30LfBP/ZcmSvXeMdj8xyxb/d
Score

10^/10

snakekeylogger stormkitty collection keylogger persistence spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggerstormkittycollectionkeyloggerpersistencespywarestealer

behavioral2

snakekeyloggerstormkittycollectionkeyloggerpersistencespywarestealer

© 2018-2024

Terms | Privacy