snakekeylogger | 256b27db9e30bc928550552c21b4151c66e64e975c64d7f5d090e874a054fefd | Triage

Sharing

General

Target

2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader
Size

6.1MB
Sample

240930-yg5xjascnq
MD5

e468925f8a4e874761f990dfb903dccf
SHA1

fa8c25643bf48a6275a3917696545f2e9f46641c
SHA256

256b27db9e30bc928550552c21b4151c66e64e975c64d7f5d090e874a054fefd
SHA512

470aa24a68b0ec96fd7f7bc78554cdbb2a33d8c0f84d5a11eb3bcaeeb36c98bc8b24febb0efffeb86d02223d6493d7ed4bf232c9b085af7e64a3a2bae9636c3e
SSDEEP

98304:InT0m9Lp46RuqTnT0m9Lp46Ruq3nT0m9Lp46Ruq3OU/jIEeQfoR/IuOFVjUu5:6TB9dOq7TB9dOqXTB9dOq3FIF0wu

Score

10^/10

snakekeylogger discovery execution keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6839394068:AAEgmde6OU-W-eNGJXPHD9JvEnnTtqhauBg/sendMessage?chat_id=6475103768

Targets

- Target
  
  2024-09-30_e468925f8a4e874761f990dfb903dccf_avoslocker_hijackloader
- Size
  
  6.1MB
- MD5
  
  e468925f8a4e874761f990dfb903dccf
- SHA1
  
  fa8c25643bf48a6275a3917696545f2e9f46641c
- SHA256
  
  256b27db9e30bc928550552c21b4151c66e64e975c64d7f5d090e874a054fefd
- SHA512
  
  470aa24a68b0ec96fd7f7bc78554cdbb2a33d8c0f84d5a11eb3bcaeeb36c98bc8b24febb0efffeb86d02223d6493d7ed4bf232c9b085af7e64a3a2bae9636c3e
- SSDEEP
  
  98304:InT0m9Lp46RuqTnT0m9Lp46Ruq3nT0m9Lp46Ruq3OU/jIEeQfoR/IuOFVjUu5:6TB9dOq7TB9dOqXTB9dOq3FIF0wu
Score

10^/10

discovery execution snakekeylogger keylogger persistence stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

snakekeyloggerdiscoveryexecutionkeyloggerpersistencestealer