Overview

overview

10

Static

static

1

HEINRICH AG.xls

windows7-x64

10

HEINRICH AG.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    HEINRICH AG.xls

  • Size

    848KB

  • Sample

    241022-rbvfaaycqf

  • MD5

    5a232e6f517ecc2663439fcf2a28573d

  • SHA1

    155a24515072423a751465a774fc6e3e24e21f84

  • SHA256

    4af00aaa090c79876c7d3c1c337cdb5244f0b05689de4e22b7ed4a84bb8eb9d8

  • SHA512

    a96e1d03f6155e30e236d4234c0c352911d3780cd59493ea8545296dc8b42c2befed3972adfbf0001df24023e522547d00bb2de68c27d729cf689487ad5b4f49

  • SSDEEP

    12288:YmzHJE+CzldQD3DERnLRmF8D5JhuiC3LaQlOh4cjUVwUi4t7W:zczlWbARM8NTC3eQ0h4eU

Score
10/10
snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot8129252196:AAFb_vUYwennKVolbwpXf3vnDfT_yhozHns/sendMessage?chat_id=7004340450

Targets

    • Target

      HEINRICH AG.xls

    • Size

      848KB

    • MD5

      5a232e6f517ecc2663439fcf2a28573d

    • SHA1

      155a24515072423a751465a774fc6e3e24e21f84

    • SHA256

      4af00aaa090c79876c7d3c1c337cdb5244f0b05689de4e22b7ed4a84bb8eb9d8

    • SHA512

      a96e1d03f6155e30e236d4234c0c352911d3780cd59493ea8545296dc8b42c2befed3972adfbf0001df24023e522547d00bb2de68c27d729cf689487ad5b4f49

    • SSDEEP

      12288:YmzHJE+CzldQD3DERnLRmF8D5JhuiC3LaQlOh4cjUVwUi4t7W:zczlWbARM8NTC3eQ0h4eU

    Score
    10/10
    snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks