Overview

overview

10

Static

static

3

dg_official01.exe

windows11-21h2-x64

10

Snedkerere...es.ps1

windows11-21h2-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Factura_Venta_024_1029.pdf.rar

  • Size

    1.1MB

  • Sample

    241014-tw54mathme

  • MD5

    dd7dce81048413dd1f7e9da5d88739b5

  • SHA1

    76deecd9dfa02498bac2150a14b1b11f44329686

  • SHA256

    793208996be71c0e081a4f84a0651124a5c725a732b3ccc82843faa1fcb33561

  • SHA512

    a4c915f7bed402a1a16ebed54f74dc644aeccdffe03613dd5a8bdef6ececdd703f495e49024d71fb939864675972b32fd66e4abe0dd1f196ff9be81ba71e7f70

  • SSDEEP

    24576:2cNgoaH7ojGixX35IF+DaypfsfJHPLuuLxXGT91llY1ZRYDyuIvp+6pYidn:1gobNDaypE1PLuul+SLRMOv44YCn

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      dg_official01.exe

    • Size

      1.2MB

    • MD5

      0917521cc67bbfe0c07339e4cb57bfef

    • SHA1

      a64298b28158d971c31ba99cd433c350469c1fde

    • SHA256

      551beb58227242af1168e2402b49bf1a6505840485fad5d618c0f9c251e4af9e

    • SHA512

      63ff71f9e8a344063ca24352d630f7e63f21a7bf72743d91a6c255e35369cbf5beaaf5057a5a33a54447e50710e150344f2d3b11e89b6ea4e4de742efff32602

    • SSDEEP

      24576:voqqHmQ2mlKpHrTguAVspHkvGGnAR9A78bVKN4aR0H6EVzRZbbk5c+Gt:voZmQ7yLVAVspEvGmS40VKWaRItb0cjt

    Score
    10/10
    snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      Snedkererede/Sabbataftenernes.Feo

    • Size

      55KB

    • MD5

      621a941ec0157786a94a49cca0478957

    • SHA1

      266434766d83a9a21bed71f43e606fa1575f8061

    • SHA256

      adcb1457290f388885ca86da1a85e5fa2ac12f5a5c4676968f0ffc948b19afd3

    • SHA512

      6367c3ccd595cd153d866df3b4025563c8382e90bde9e8640eef59dcfabbe78c5f843bbe2f5c267ba9f9f1f9d731493ed4a7ed09054bcad5835dff2edbedc9d5

    • SSDEEP

      1536:EfRLnQNog/e4inTZ3X4VXDTzRjAjLNqdai1MhnzPbqPAQf:eLQNoVZSzhdaie97e

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks