Overview

overview

10

Static

static

3

b476192616...fe.exe

windows7-x64

8

b476192616...fe.exe

windows10-2004-x64

10

Kodrivernes.ps1

windows7-x64

3

Kodrivernes.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b476192616b9cece95c9071605ecce3902e64beb8e67ca7336b3f3f75411fdfe.exe

  • Size

    661KB

  • Sample

    241016-f3nk9syerl

  • MD5

    ed7695b5b954ca353713414660616cae

  • SHA1

    5bfb7d46c2620043abfe19337ab791358c965be6

  • SHA256

    b476192616b9cece95c9071605ecce3902e64beb8e67ca7336b3f3f75411fdfe

  • SHA512

    07a2a739a26eb65adfa184612df8603e51385979013803b8921ad4713fa029dca673e0c004a9c42b03a93715c9e66f717eda33008aa462288077b1674708f46d

  • SSDEEP

    12288:v8KFAGRJlG+7rz/Xx5GjIW0ep9Rr2M/iTGYqWofv1zSFXMhuV+7+bY:vbY47GECyCiuW095ugcY

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7718195303:AAH0NmZU1fTlGiQsVioB6NIIeKKsLF_-cmM/sendMessage?chat_id=6624630813

Targets

    • Target

      b476192616b9cece95c9071605ecce3902e64beb8e67ca7336b3f3f75411fdfe.exe

    • Size

      661KB

    • MD5

      ed7695b5b954ca353713414660616cae

    • SHA1

      5bfb7d46c2620043abfe19337ab791358c965be6

    • SHA256

      b476192616b9cece95c9071605ecce3902e64beb8e67ca7336b3f3f75411fdfe

    • SHA512

      07a2a739a26eb65adfa184612df8603e51385979013803b8921ad4713fa029dca673e0c004a9c42b03a93715c9e66f717eda33008aa462288077b1674708f46d

    • SSDEEP

      12288:v8KFAGRJlG+7rz/Xx5GjIW0ep9Rr2M/iTGYqWofv1zSFXMhuV+7+bY:vbY47GECyCiuW095ugcY

    Score
    10/10
    discoveryexecutionsnakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Kodrivernes.Leg

    • Size

      51KB

    • MD5

      26f8a8d3825e9c40a9a38dc4e1df576a

    • SHA1

      b374e6bd5d638466255e3045dab078925015404c

    • SHA256

      6468cdcafb15dcdcd616d53de9e64f6e56de157e47e3f23402ea281e09b2bd41

    • SHA512

      e8d5c2fc7bdc6dfc4f4b63abae2631555a0aa8080b4b8d6c6284faa23a882bd2b25acc6aeb91ca89aa0c6b74d6f4e5025532f1760e33a90dd2b931366f1db561

    • SSDEEP

      768:Fj4fAwN6sULxaVtVo88J5XUuBMvmsrqo6AUSQ80MubHhmZ452Dfv1yw/VoABGNSv:t4owUsUNIPQBYzrqo6Hu0MMqZb9j/LBN

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks