snakekeylogger | 017e5b7d68e109d875d58186b54eb613a3ceef3d54052b19fa4b9adcfea19cff | Triage

Submit
Reports

Overview

overview

Static

static

1

5cd8e28712...20.exe

windows7-x64

8

5cd8e28712...20.exe

windows10-2004-x64

Sharing

General

Target

fddd99d918c32a807cd1761c519b086b.bin
Size

964KB
Sample

240829-cfczgayakb
MD5

820e09db54c449e81135b4e3b3a2ae49
SHA1

a02227f75928e3f38ee0bb64a1a693480f16e14d
SHA256

017e5b7d68e109d875d58186b54eb613a3ceef3d54052b19fa4b9adcfea19cff
SHA512

49a6a1980e3c65cb4bc29de0790bac7633f1af0e8a53c6c9c90787b9b01024e95f321b3ec22127df0f62c650e418eefeb2cae434dc9fbda109f777129ee7b3c2
SSDEEP

24576:o2756KFEBXpSw6c7KHwAxcbu2JmhT6EjL/9NqMyQ:ZMAuoHh2u+mhuuNqMyQ

Score

10^/10

snakekeylogger discovery keylogger persistence stealer

Static task

static1

Behavioral task

behavioral1

Sample

5cd8e28712872382cacac0d338a4d041e291b89d41a4daf69eabefe7ec46f920.exe

Resource

win7-20240708-en

discovery persistence

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

5cd8e28712872382cacac0d338a4d041e291b89d41a4daf69eabefe7ec46f920.exe

Resource

win10v2004-20240802-en

snakekeylogger discovery keylogger persistence stealer

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
zulpine.shop
Port:
587
Username:
[email protected]
Password:
dkA6kDAnLHNg
Email To:
[email protected]

Targets

- Target
  
  5cd8e28712872382cacac0d338a4d041e291b89d41a4daf69eabefe7ec46f920.exe
- Size
  
  1.1MB
- MD5
  
  fddd99d918c32a807cd1761c519b086b
- SHA1
  
  8cf7e4c454f20d2ab851bb6e18a4250b7af4157c
- SHA256
  
  5cd8e28712872382cacac0d338a4d041e291b89d41a4daf69eabefe7ec46f920
- SHA512
  
  5243ba74b6919a3d96dffda1a598c47a3ce80426136abe769fa19bf9a138de64a7db87efb2a5cfe6c7bb1e5bdc8655169defe54ee79d3d7ebe16817807ebb06a
- SSDEEP
  
  24576:ZlmXjCShkN8Hy//wZhBcV7ilbN1/39e48e:ZlmXjCJN8SXwVL1/9e48e
Score

10^/10

discovery persistence snakekeylogger keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

snakekeyloggerdiscoverykeyloggerpersistencestealer

© 2018-2024

Terms | Privacy