Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file.exe

  • Size

    390KB

  • Sample

    230602-rgpf8abf88

  • MD5

    66244fb1118f70553439a5afc47529ac

  • SHA1

    68250dcc265970b31d6fed79c008fe0972eec12c

  • SHA256

    8973a01c5fb01195763577375cc5e3b223c5ed680cbd646a0924cbcb37150ebb

  • SHA512

    8cd236ee3ab5ce209264cdbb3d00acc4399489474e47ef6e231d76fdd704a07b4060ca20e46f5e2ea618963dd4cb38fe38c4e91b42e79b7c2bdc68756d3719cb

  • SSDEEP

    6144:cTzoeC71TFqddJYDqR2B19LuduY0XoJt6FW9mVou0art+obeVxJAK/ngEdfbL2:KzDqRkGDqMnXhYJt6zSu0kMOWD3/ge/2

Score
10/10
snakekeyloggercollectionevasionkeyloggerpersistencestealertrojan

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077

Targets

    • Target

      file.exe

    • Size

      390KB

    • MD5

      66244fb1118f70553439a5afc47529ac

    • SHA1

      68250dcc265970b31d6fed79c008fe0972eec12c

    • SHA256

      8973a01c5fb01195763577375cc5e3b223c5ed680cbd646a0924cbcb37150ebb

    • SHA512

      8cd236ee3ab5ce209264cdbb3d00acc4399489474e47ef6e231d76fdd704a07b4060ca20e46f5e2ea618963dd4cb38fe38c4e91b42e79b7c2bdc68756d3719cb

    • SSDEEP

      6144:cTzoeC71TFqddJYDqR2B19LuduY0XoJt6FW9mVou0art+obeVxJAK/ngEdfbL2:KzDqRkGDqMnXhYJt6zSu0kMOWD3/ge/2

    Score
    10/10
    snakekeyloggercollectionevasionkeyloggerpersistencestealertrojan

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Modify Registry

6
T1112

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Credential Access

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks