snakekeylogger | ed0b1f5749e23d2494de9cdeda7aca03c44690e22dfbd2f4b5f96baa73986406 | Triage

Submit
Reports

Overview

overview

Static

static

1

Orden2410188.xls

windows7-x64

Orden2410188.xls

windows10-2004-x64

Sharing

General

Target

Orden2410188.xls
Size

938KB
Sample

241003-j8a4xaxcmg
MD5

39e2230ab8f6d983bee40367b44d0d99
SHA1

92e81d6b42529bd3171b4541ea252fce6ba3c010
SHA256

ed0b1f5749e23d2494de9cdeda7aca03c44690e22dfbd2f4b5f96baa73986406
SHA512

2d9e2060a4251c50e3d32896d71025fc57c2e588d5cbd88ce0c9ba52287f4e40d4775f528958032f7323c3f02d3a0e9e39872e5427b5ed3e9dbbfcd8234ba90c
SSDEEP

12288:UmzHJEjwWYSRD3DERnLRmF8Dl3PT7uZNPK+N4Uu/UbH0ilKLdcoCYd8Eojy1f9w:ncwHSRbARM8B3l+iv/UbUxLdwYLom1V

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

Orden2410188.xls

Resource

win7-20240903-en

snakekeylogger collection defense_evasion discovery execution keylogger stealer

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

Orden2410188.xls

Resource

win10v2004-20240802-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.teilecar.com
Port:
587
Username:
[email protected]
Password:
Manta924porsche=911
Email To:
[email protected]

Targets

- Target
  
  Orden2410188.xls
- Size
  
  938KB
- MD5
  
  39e2230ab8f6d983bee40367b44d0d99
- SHA1
  
  92e81d6b42529bd3171b4541ea252fce6ba3c010
- SHA256
  
  ed0b1f5749e23d2494de9cdeda7aca03c44690e22dfbd2f4b5f96baa73986406
- SHA512
  
  2d9e2060a4251c50e3d32896d71025fc57c2e588d5cbd88ce0c9ba52287f4e40d4775f528958032f7323c3f02d3a0e9e39872e5427b5ed3e9dbbfcd8234ba90c
- SSDEEP
  
  12288:UmzHJEjwWYSRD3DERnLRmF8Dl3PT7uZNPK+N4Uu/UbH0ilKLdcoCYd8Eojy1f9w:ncwHSRbARM8B3l+iv/UbUxLdwYLom1V
Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Evasion via Device Credential Deployment
  defense_evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

behavioral2

© 2018-2024

Terms | Privacy