snakekeylogger | e7163358d7945ac9fa343eb49725d8ce1021993347178b1f5725e4689fd35059 | Triage

Submit
Reports

Overview

overview

Static

static

1

TTXAPPLICATION.xls

windows7-x64

TTXAPPLICATION.xls

windows10-2004-x64

Sharing

General

Target

TTXAPPLICATION.xls
Size

1.0MB
Sample

241004-khkfbsycnh
MD5

a88d8222f0c50bf06a91b3a9567c3306
SHA1

eb6afe8b34c4fd7c15104630e6a666322ba7420f
SHA256

e7163358d7945ac9fa343eb49725d8ce1021993347178b1f5725e4689fd35059
SHA512

0db10f1be93c95dda95425cff166e5ef87e3db6daa8f1ca882dd97a5a8f9bde893a3586bdd0a2ceeb744bd8d5c70b2c2a5c3388a1fe193a1d9501c76c8569259
SSDEEP

12288:xmzHJEHAfwu4hqD3DERnLRmF8DfPrf173d2FuLg70Je/mAI98dvj54002UZlAZ:gLw/hqbARM83V3uaGjS000

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

TTXAPPLICATION.xls

Resource

win7-20240903-en

snakekeylogger collection defense_evasion discovery execution keylogger stealer

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

TTXAPPLICATION.xls

Resource

win10v2004-20240802-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.teilecar.com
Port:
587
Username:
[email protected]
Password:
Manta924porsche=911
Email To:
[email protected]

Targets

- Target
  
  TTXAPPLICATION.xls
- Size
  
  1.0MB
- MD5
  
  a88d8222f0c50bf06a91b3a9567c3306
- SHA1
  
  eb6afe8b34c4fd7c15104630e6a666322ba7420f
- SHA256
  
  e7163358d7945ac9fa343eb49725d8ce1021993347178b1f5725e4689fd35059
- SHA512
  
  0db10f1be93c95dda95425cff166e5ef87e3db6daa8f1ca882dd97a5a8f9bde893a3586bdd0a2ceeb744bd8d5c70b2c2a5c3388a1fe193a1d9501c76c8569259
- SSDEEP
  
  12288:xmzHJEHAfwu4hqD3DERnLRmF8DfPrf173d2FuLg70Je/mAI98dvj54002UZlAZ:gLw/hqbARM83V3uaGjS000
Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Evasion via Device Credential Deployment
  defense_evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

behavioral2

© 2018-2024

Terms | Privacy