Overview

overview

10

Static

static

3

dekontMPS20231003.exe

windows7-x64

6

dekontMPS20231003.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dekontMPS20231003.exe

  • Size

    420KB

  • Sample

    231003-wzmgsseg6y

  • MD5

    fdc10b0a79f5e2d47f81c4f81ad4ac07

  • SHA1

    1a9b020fe2e21e9ab341643c8f9e96bd8a5da095

  • SHA256

    eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9

  • SHA512

    f0c76eea93c0e23cab41f63b4f7fcae895373134933c6755c56dd6d0d0c14c953b5f0725391dfb392ff22988deeacb5a194e50ac5a87428563367fecd883918b

  • SSDEEP

    12288:vQ/VsmwXLT+jUl+cQMFY523fXbfqfc/3ubyMN:4/VsdXLKjUl+cQMFYU3fXbf2c/3J

Score
10/10
snakekeyloggercollectiondiscoverykeyloggerpersistencespywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6559576673:AAE6veQ5mMCrHEUknXuYdCi8fCjm4p3sg-0/sendMessage?chat_id=1467583453

Targets

    • Target

      dekontMPS20231003.exe

    • Size

      420KB

    • MD5

      fdc10b0a79f5e2d47f81c4f81ad4ac07

    • SHA1

      1a9b020fe2e21e9ab341643c8f9e96bd8a5da095

    • SHA256

      eb129d9324fffc4f901285201177387057e3d6c8f34e93aab8b08eee5b44dcb9

    • SHA512

      f0c76eea93c0e23cab41f63b4f7fcae895373134933c6755c56dd6d0d0c14c953b5f0725391dfb392ff22988deeacb5a194e50ac5a87428563367fecd883918b

    • SSDEEP

      12288:vQ/VsmwXLT+jUl+cQMFY523fXbfqfc/3ubyMN:4/VsdXLKjUl+cQMFYU3fXbf2c/3J

    Score
    10/10
    discoverysnakekeyloggercollectionkeyloggerpersistencespywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks