snakekeylogger | d472c895106cfebcb6eea8701416aed96b9770c256432ee7ee7a9b8a60a6d254 | Triage

Submit
Reports

Overview

overview

Static

static

1

Athnaton_A...on.xls

windows7-x64

Athnaton_A...on.xls

windows10-2004-x64

Sharing

General

Target

Athnaton_ANP00224_Specification.xls
Size

939KB
Sample

241003-g8wz9syhmj
MD5

15d90d6aa9eb2c890494884bdaff2e91
SHA1

d55134055fb68cab73e32d6ed70d936399484a3d
SHA256

d472c895106cfebcb6eea8701416aed96b9770c256432ee7ee7a9b8a60a6d254
SHA512

a4f10b41f37be48b3ddf83e6c0d133cd8ae8655c4a8fac3235be0dc961c5bf2e3e80d6b924b446ba44a07b7bbdbf99d87b308637332bbb050b4c51c25dab5c8e
SSDEEP

12288:xmzHJEjwWYSqD3DERnLRmF8Dl3PTKuG44G24rBedMPQr6eyCQSEB9:gcwHSqbARM8B3ugedV7Q

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

Athnaton_ANP00224_Specification.xls

Resource

win7-20240704-en

snakekeylogger collection defense_evasion discovery execution keylogger stealer

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

Athnaton_ANP00224_Specification.xls

Resource

win10v2004-20240802-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.purityontap.com
Port:
587
Username:
[email protected]
Password:
mail55
Email To:
[email protected]

Targets

- Target
  
  Athnaton_ANP00224_Specification.xls
- Size
  
  939KB
- MD5
  
  15d90d6aa9eb2c890494884bdaff2e91
- SHA1
  
  d55134055fb68cab73e32d6ed70d936399484a3d
- SHA256
  
  d472c895106cfebcb6eea8701416aed96b9770c256432ee7ee7a9b8a60a6d254
- SHA512
  
  a4f10b41f37be48b3ddf83e6c0d133cd8ae8655c4a8fac3235be0dc961c5bf2e3e80d6b924b446ba44a07b7bbdbf99d87b308637332bbb050b4c51c25dab5c8e
- SSDEEP
  
  12288:xmzHJEjwWYSqD3DERnLRmF8Dl3PTKuG44G24rBedMPQr6eyCQSEB9:gcwHSqbARM8B3ugedV7Q
Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Evasion via Device Credential Deployment
  defense_evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

behavioral2

© 2018-2024

Terms | Privacy