Extracted

• • Target

    Aldersgruppeen.exe

  • Size

    592KB

  • MD5

    ec0272193c8164d401b2ab2778c9cc16

  • SHA1

    3f540bbd6631067183b0ba96d8a19420aacc956c

  • SHA256

    85fef3b696a7476ae1d961d959d6afc9f3db592a9f38137f33e84a042e1aed87

  • SHA512

    538af178dbddd67a79ee989bc7aac13d389b1a22a515593daf108df0c8d4c59a7124841c1b21d3b8386f1e21b4fb1d9a883cd420e6572cb35199f278eec797a6

  • SSDEEP

    12288:Stons9Huj0tm12i9L8XK8+xhslfSs9abpsOrMe7g2eUz:3nuFtmF9IXK8EGlftabpsizT

  Score

  10^/10

  discoveryexecutionsnakekeyloggerkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    Otelcosis/Makabreres.Vol

  • Size

    51KB

  • MD5

    7813853161f7340e47a87cdbdfd3a56d

  • SHA1

    830361f5c97f811af32b9b6ffa4aecaf69ea3ceb

  • SHA256

    b78167a2812a5b68085e363f88ddacc193f2a311f6ca4ff961a4eb79dbea218b

  • SHA512

    b895170e7e4568f9e73435101741a56da226a87371b3bda4a098d7e7af974341e3726fbab56a69eb6ec241351832c7d023008473d44daaaa1768626b670be418

  • SSDEEP

    1536:vyuQkJAQQIN073zKXaIvh49RvHcQ3V4/M2LBpn5nViS:auIQQIS73O1vhUvKnViS

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4