snakekeylogger | 52cb62fc662748b8c1f47a84629908d91ce13ee370683086a7932b45423d612e

General

Target

21102024_1616_21102024_SEM2024000002383.rar
Size

683KB
Sample

241021-t5rbts1dkj
MD5

a7c300c92c1fa7bc2db7046cf3840dea
SHA1

b4624f6227d893e36f4f8bc17b94328e80c0ef34
SHA256

52cb62fc662748b8c1f47a84629908d91ce13ee370683086a7932b45423d612e
SHA512

e7bef5699949c06fc4ebb122e22575b047114f9934ae6255ad81c5f0c95f0c776cf708511f86d54eacc3425234bf3a1c6b8ee405b1ac838753e7fb7f4bbfffa5
SSDEEP

12288:5fd1FyUI0weJa9rj/XjTv6TL/lIJVwiagcRmAPhW+Zyf7dWvFEk9GFVuSdd:5fdDlIWa9rj/XiTJIJqi7cmAP1yfocHD

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7840943707:AAFvjApaxzyzfiy9tTVH4n-N6k-rIeMo504/sendMessage?chat_id=2129508827

Targets

- Target
  
  SEM2024000002383.exe
- Size
  
  748KB
- MD5
  
  06fa51d68f2545f28a2b942b01a4bb13
- SHA1
  
  74fb1ce042c1982155d6d190b446dd429c7ad463
- SHA256
  
  fb79dfe6e2eebbe7882d3e688ff377c3ffcfc8d41f35e1af16f224846f4fab5b
- SHA512
  
  a11d5b3fccfc2cf03913903382b2521b609bd2d798d50e6b151c8a88f1cb835456e0f1ace18c50037de6b93c656f51b88e783fb42b80b38fd3be0d772cc5c773
- SSDEEP
  
  12288:jG6QMVyGP0Fx53cAA0jGnheowOyGOs61IYZVAecgs9FMa1Mdq8jJM:jG6QtGP0OhsGnheowDGMIYO7MoOM
Score

10^/10

discovery execution snakekeylogger collection keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Synligstes84.Hig
- Size
  
  53KB
- MD5
  
  453a8e6a5068ae5a2e5d99de31a13b3b
- SHA1
  
  9f202a5b9a8cf1ae90030e14ea99c4e787338ede
- SHA256
  
  4ac6b7ddcc88b43191a8e1329e632c3246b10dcd077b1e79efa2f0559cafa7f6
- SHA512
  
  37b6296b2434b1791d7e709d17cd8bcce6d8111505648b63227e1004461de31d07922497ed80be4e6ab115ece2964394cf6a3c1b26725a3da2fa0bb3cf7cac46
- SSDEEP
  
  768:GgwhUiC0xg3ABPAquhRXdzx0upGLv4rMdpnLh3AHtDeXqfEF8zommDR/q+UjEadh:mUiKwhuxzxJpavgq0DeXqf7oYPXEw
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4