Extracted

• • Target

    HEINRICHAG.xls

  • Size

    848KB

  • MD5

    5a232e6f517ecc2663439fcf2a28573d

  • SHA1

    155a24515072423a751465a774fc6e3e24e21f84

  • SHA256

    4af00aaa090c79876c7d3c1c337cdb5244f0b05689de4e22b7ed4a84bb8eb9d8

  • SHA512

    a96e1d03f6155e30e236d4234c0c352911d3780cd59493ea8545296dc8b42c2befed3972adfbf0001df24023e522547d00bb2de68c27d729cf689487ad5b4f49

  • SSDEEP

    12288:YmzHJE+CzldQD3DERnLRmF8D5JhuiC3LaQlOh4cjUVwUi4t7W:zczlWbARM8NTC3eQ0h4eU

  Score

  10^/10

  snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Evasion via Device Credential Deployment

    defense_evasionexecution

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2