Extracted

• • Target

    Shipment Document No - 100184429.exe

  • Size

    511KB

  • MD5

    cdee9eed2080c5d3c0494692e26d5659

  • SHA1

    4d366ef4edc7a0e5dce9beebf38132d9d5418642

  • SHA256

    2708fc0dd1f37e545533dbe8565658ff819ded88f33b3856cebb0b3a531965ad

  • SHA512

    4faf501516cdef327db61c66e9ebed0422b6047fd69eff5ac29f6e1a1aa3d1ea552b9fab74ca84a760b0d7f2d18c573054ac7a5ed147e39bad41e7a30d47d389

  • SSDEEP

    12288:W57kvq9inPTpfGU3VGQ9Co2dWsAvqafbwMVkU9CYs88fk7H5SJ/T:W5oqUPTpfG0GqT2dF2qafbV9CYsa7sJ

  Score

  10^/10

  snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2