Overview

overview

10

Static

static

3

c605bbb804...2b.exe

windows7-x64

7

c605bbb804...2b.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c605bbb80497f649c14f03846249dbe6c72ac434ec1e1ef9292e80f1d92b832b.exe

  • Size

    620KB

  • Sample

    240711-de4apsvgkm

  • MD5

    b409d2fd594633bc71e64da08aed9951

  • SHA1

    c6f38e204419c12044e34baf398030b76e616a2f

  • SHA256

    c605bbb80497f649c14f03846249dbe6c72ac434ec1e1ef9292e80f1d92b832b

  • SHA512

    b234f0a848c3d775cde23d4965084714fe13b3dd076f3749213e0f55a3f69cad302bebd2db2ce189333f85b4d81554dffc74b58553120251acb0f2ce6b03ecf6

  • SSDEEP

    12288:9vxwRbB0H5KUjUPKCuO+ggobwxbAW07FN3WNZt:9vx6bB0ZqAHgDSbxQFN3WDt

Score
10/10
snakekeyloggercollectionevasionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7169426142:AAG_Nuf4vFdD3YALIW-rE-UaNUDVey15SPM/sendMessage?chat_id=1545867115

Targets

    • Target

      c605bbb80497f649c14f03846249dbe6c72ac434ec1e1ef9292e80f1d92b832b.exe

    • Size

      620KB

    • MD5

      b409d2fd594633bc71e64da08aed9951

    • SHA1

      c6f38e204419c12044e34baf398030b76e616a2f

    • SHA256

      c605bbb80497f649c14f03846249dbe6c72ac434ec1e1ef9292e80f1d92b832b

    • SHA512

      b234f0a848c3d775cde23d4965084714fe13b3dd076f3749213e0f55a3f69cad302bebd2db2ce189333f85b4d81554dffc74b58553120251acb0f2ce6b03ecf6

    • SSDEEP

      12288:9vxwRbB0H5KUjUPKCuO+ggobwxbAW07FN3WNZt:9vx6bB0ZqAHgDSbxQFN3WDt

    Score
    10/10
    snakekeyloggercollectionevasionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Disables RegEdit via registry modification

      evasion

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      bff2a11d26d951ec34679b8fa1ee7192

    • SHA1

      d3de629a5a86ee35b6afa1802f6ac8b141b07062

    • SHA256

      aec5af9c7c551c3590492b0c0120b535b55ab048e84f695b617a5ab4b1a52f54

    • SHA512

      1dce397c9cab3cd3b58c181688286a89067c743f195403694819c2d988435268ffd01939beaaa17cfa344160c89414f28273b70de154be0def034af8c470723a

    • SSDEEP

      192:G9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:GJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      fdee755c4987e9859e0eec130ee22efd

    • SHA1

      ba32823881a98da6b92eee1d866be2b3a20c6e5d

    • SHA256

      e18984e78d58b2383f2c1e8ed0000088ee8d9d469345383618f179176fcddff6

    • SHA512

      31ba3dad22fd9b78ab3f6017c4373c923d048cf0c010900a131c4533ef185d408a88052aa4cf6184dbe484d44aab9cfa94a052185cf0b9ad19286ed921e4723f

    • SSDEEP

      96:ft4Vl/7Lo1UBrob9ljNEUgD7cyuM1x9XkraK2A2KAB5VVDyssKZ:ft4Vlw1Iul5J8T1vK20I5VVGsb

    Score
    3/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks