Extracted

• • Target

    Mensajes en cuarentena.zip

  • Size

    636KB

  • MD5

    17efe4e64bf28bfb62ba67da84444d15

  • SHA1

    9a5c1fb1145dfd5008ddbe4cdbb167525f2e11c5

  • SHA256

    a580d66b0d0957cfb2c06d6ac3cfa1bc1965c94fcdc553f7580d3c5275f74b36

  • SHA512

    a4d4bfcaead62bc535abe982799862dd8b342958b524e7d559c26f382ee1b71cc1ae00bdfcb7e65519be59e36a60ab42e4a34913cf35359af98fa72df33fd266

  • SSDEEP

    12288:+ZGeuKUjt2oQqu6fX0iL5dQzbrGR4T3gD4pBtpRoD99El81arZk:+Z3s22Xv1m84A4rt3opaOsdk

  Score

  10^/10

  snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerspywarestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Executes dropped EXE

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Binary Proxy Execution: Verclsid

    Adversaries may abuse Verclsid to proxy execution of malicious code.

    defense_evasion

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2