General
-
Target
malw.exe
-
Size
715KB
-
Sample
241004-nhfnxs1drj
-
MD5
8ea1822769d934de6294df2f28b58d21
-
SHA1
19828a1388a095de254d29c38295197462eed679
-
SHA256
477c194d28848fc694b23c8074569d3028502f2e87bc92b103ae63cf795f551a
-
SHA512
67bd5fd7a9e50775c80f8598e21fca6b767a580ad0f1d553885f39b1a79365168b0cc2d35d545878f808ea124b4cdbe0a78cc28afdd1ecddd766fb40d9fba7cf
-
SSDEEP
12288:4Tv8CCDmr86qJEqwz6WOfZj1cLvmj+hhV1BUwngO:Uv8Lqv8cLvJhhV1B3ng
Malware Config
Targets
-
-
Target
malw.exe
-
Size
715KB
-
MD5
8ea1822769d934de6294df2f28b58d21
-
SHA1
19828a1388a095de254d29c38295197462eed679
-
SHA256
477c194d28848fc694b23c8074569d3028502f2e87bc92b103ae63cf795f551a
-
SHA512
67bd5fd7a9e50775c80f8598e21fca6b767a580ad0f1d553885f39b1a79365168b0cc2d35d545878f808ea124b4cdbe0a78cc28afdd1ecddd766fb40d9fba7cf
-
SSDEEP
12288:4Tv8CCDmr86qJEqwz6WOfZj1cLvmj+hhV1BUwngO:Uv8Lqv8cLvJhhV1B3ng
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2