snakekeylogger | a753f83785176aaa5a16f73f390110dd3f804c08c52d8e90b42ed337e461da69 | Triage

Submit
Reports

Overview

overview

Static

static

3

New PO748N23.PDF.exe

windows7-x64

New PO748N23.PDF.exe

windows10-2004-x64

Sharing

General

Target

New PO748N23.PDF.exe
Size

924KB
Sample

230605-gmfq6aff2s
MD5

a8549737d61df8a9e3df01f3d4760986
SHA1

a5c9688cc73367761dc575ee28a15de62e650ab1
SHA256

a753f83785176aaa5a16f73f390110dd3f804c08c52d8e90b42ed337e461da69
SHA512

5e58d14dcac30e8bfb73afe16dc1fc7a689ab90abead38f89ab4fdfcd6248054d1e8d5b060c8320f8b942ba07200b6df3f7240c91ba7260997536a06a9525030
SSDEEP

24576:NTbBv5rUanyfTPmHkHBP2Gu1r0hspaAcKEby9IulEN/:HBjITOHkHBP2agaAcem/

Score

10^/10

snakekeylogger stormkitty collection keylogger persistence spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

New PO748N23.PDF.exe

Resource

win7-20230220-en

snakekeylogger stormkitty collection keylogger persistence spyware stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

New PO748N23.PDF.exe

Resource

win10v2004-20230220-en

snakekeylogger stormkitty collection keylogger persistence spyware stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5553654095:AAFY7fGm3A2NSyoJOWhzq_VfL3zRwqCo4Ow/sendMessage?chat_id=6183982484

Targets

- Target
  
  New PO748N23.PDF.exe
- Size
  
  924KB
- MD5
  
  a8549737d61df8a9e3df01f3d4760986
- SHA1
  
  a5c9688cc73367761dc575ee28a15de62e650ab1
- SHA256
  
  a753f83785176aaa5a16f73f390110dd3f804c08c52d8e90b42ed337e461da69
- SHA512
  
  5e58d14dcac30e8bfb73afe16dc1fc7a689ab90abead38f89ab4fdfcd6248054d1e8d5b060c8320f8b942ba07200b6df3f7240c91ba7260997536a06a9525030
- SSDEEP
  
  24576:NTbBv5rUanyfTPmHkHBP2Gu1r0hspaAcKEby9IulEN/:HBjITOHkHBP2agaAcem/
Score

10^/10

snakekeylogger stormkitty collection keylogger persistence spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggerstormkittycollectionkeyloggerpersistencespywarestealer

behavioral2

snakekeyloggerstormkittycollectionkeyloggerpersistencespywarestealer

© 2018-2024

Terms | Privacy