Extracted

• • Target

    cb58bf810026a8ee8a4e7dda3a23369f4f3a1170e97010cd45b698dc412a4b4b.exe

  • Size

    455KB

  • MD5

    64125d381137afda5c8ec6be3865f00b

  • SHA1

    2869466fb83c10b3009befce7cfd90e7e819500b

  • SHA256

    cb58bf810026a8ee8a4e7dda3a23369f4f3a1170e97010cd45b698dc412a4b4b

  • SHA512

    969b559acc761532548b86b22f107c018150f64f2338990b418bd00c8c813a8c85f503e087db15a3e55c50e9fd71f088b203b7e1fb6993f7a279678a1612a0f9

  • SSDEEP

    12288:xTMQmUVDbh1VCnBcS1tx7uxr2sN9cdPV+a51:xTMQvpjVCiHig9qPVf

  Score

  10^/10

  discoveryexecutionsnakekeyloggerkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    $_12_/Ufarligheden.Pic

  • Size

    53KB

  • MD5

    81af4fd82b47873584f160fb4228293a

  • SHA1

    656b56b51ec006f0dd660a92a8d270d52ae4fb8d

  • SHA256

    f639169cb559cd1866363100feb43da1b170b708623f45b12c0a706e01561ab6

  • SHA512

    caa807605ec4b51dc27a2e2a5db33818cebc082c84893d6ea0b588a5d1a4bb80f49ce3d5dae96a1baaa25a64420a2455237ae3b1ee8e3765cb99987f775af406

  • SSDEEP

    768:RjrAVpqj8lMfQwOJ0dACRcJPBYIsp8+mIrOvpk7bql3p3ruLcuIxAPTa7uGAoeW9:RvYA8aYYIsp8+5YMOtU3hPTa7eo

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4