General
-
Target
INVOICE0986543009070.exe
-
Size
1.5MB
-
Sample
231127-hnmfrseh89
-
MD5
93532c5b21b858ef1b20042468b5b203
-
SHA1
908d8d3d7812ca76d7eff5e0a2566fed19fbc684
-
SHA256
53ba1575f48c3ed5ecc12fd858464360a9e49d81a2be4a1c9405690d1074e62e
-
SHA512
943161a06a5f01acfb0e6384dd85b3523aed6779e5aaaae6e61cda8d96585b2e6a5e20100baa384b23b5133ef2aa275ae2ac9bd5c3e73eb1acc3cbe87b682f7a
-
SSDEEP
24576:YzdAX+3YtCZOT/cz+qNdm88FpWDxMoawwhvF:YzdADTGFW8x9awqF
Malware Config
Targets
-
-
Target
INVOICE0986543009070.exe
-
Size
1.5MB
-
MD5
93532c5b21b858ef1b20042468b5b203
-
SHA1
908d8d3d7812ca76d7eff5e0a2566fed19fbc684
-
SHA256
53ba1575f48c3ed5ecc12fd858464360a9e49d81a2be4a1c9405690d1074e62e
-
SHA512
943161a06a5f01acfb0e6384dd85b3523aed6779e5aaaae6e61cda8d96585b2e6a5e20100baa384b23b5133ef2aa275ae2ac9bd5c3e73eb1acc3cbe87b682f7a
-
SSDEEP
24576:YzdAX+3YtCZOT/cz+qNdm88FpWDxMoawwhvF:YzdADTGFW8x9awqF
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
UAC bypass
-
Windows security bypass
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2