Overview

overview

10

Static

static

3

d5dbb09b7e...2a.exe

windows7-x64

10

d5dbb09b7e...2a.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d5dbb09b7ecb1ba95cc42d1757a2e72e0c4bbd86cca5dd43dabf3a0d9425432a.exe

  • Size

    878KB

  • Sample

    241012-cazahswena

  • MD5

    0c285a3c76e1f5f981de6282fedf1919

  • SHA1

    dc3f467ff13529349090edc5c1a9aa597bd65e41

  • SHA256

    d5dbb09b7ecb1ba95cc42d1757a2e72e0c4bbd86cca5dd43dabf3a0d9425432a

  • SHA512

    ac1fe6ac984c63adb12c15c27ca74f2120dfae406a2ba532c29d545ab56739b9ad8915447204e4770cc1d3e822ac0d7271e36c43d71c43e8a4b245878dd5a43d

  • SSDEEP

    24576:miGFaq43NvCZXv/+2JujTrlCJREBJ/QOead:miGFu3Nvw3+XdrJ/qad

Score
10/10
snakekeyloggerdiscoverykeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    webmail.berkeleyindia.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    2szbiev2pciv

Targets

    • Target

      d5dbb09b7ecb1ba95cc42d1757a2e72e0c4bbd86cca5dd43dabf3a0d9425432a.exe

    • Size

      878KB

    • MD5

      0c285a3c76e1f5f981de6282fedf1919

    • SHA1

      dc3f467ff13529349090edc5c1a9aa597bd65e41

    • SHA256

      d5dbb09b7ecb1ba95cc42d1757a2e72e0c4bbd86cca5dd43dabf3a0d9425432a

    • SHA512

      ac1fe6ac984c63adb12c15c27ca74f2120dfae406a2ba532c29d545ab56739b9ad8915447204e4770cc1d3e822ac0d7271e36c43d71c43e8a4b245878dd5a43d

    • SSDEEP

      24576:miGFaq43NvCZXv/+2JujTrlCJREBJ/QOead:miGFu3Nvw3+XdrJ/qad

    Score
    10/10
    snakekeyloggerdiscoverykeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      34442e1e0c2870341df55e1b7b3cccdc

    • SHA1

      99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

    • SHA256

      269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

    • SHA512

      4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

    • SSDEEP

      192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks