Overview

overview

10

Static

static

1

PO 2024132...__.exe

windows7-x64

8

PO 2024132...__.exe

windows10-2004-x64

10

Saganashes.ps1

windows7-x64

3

Saganashes.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    73244eb1f8f3c161649203b9c8c5bb274d2c4e413e75cfddccbcd093ec29791f

  • Size

    737KB

  • Sample

    241106-l7twqsybkd

  • MD5

    38cfdc3ca1f5f75be9939176c122c6dc

  • SHA1

    326765c63d5ae38598dbd825f712878bf886d735

  • SHA256

    73244eb1f8f3c161649203b9c8c5bb274d2c4e413e75cfddccbcd093ec29791f

  • SHA512

    ec1220ff717094386d357c11adeab13092d7ec71adcf840519be227c4941aac4f2a99d987000f1d4a4634a556462cca86d26dcbe2509916fee515f9cb3964ebc

  • SSDEEP

    12288:5X44oQ71bcNIr5fkH1TG+6IkuRjfDlQ+yAvQT/6/rLmssQdb08FE9iB5w7/ozzDk:5X44oQ7GacH1ToQlry3Tdssc08XGszIx

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7602241848:AAGOG1RAiVBKad-IMDgRf04J_SQO8x6g-hI/sendMessage?chat_id=5302361040

Targets

    • Target

      PO 20241325-SQ20240002189 (revised-3) Quotation______________________________________________.exe

    • Size

      767KB

    • MD5

      21a5378b2c78f66fff23ec764cba65f2

    • SHA1

      94e2921a8a2e47611c936235b5ba03feecf00fff

    • SHA256

      b23119bb95d44f50e52555f51c9931389d3d559b9f74e34041e9fa6bc2b7f481

    • SHA512

      885aaec0dea4fbf8d46da71bb34f776a8f212e99bf7da7082ef312a1936d46d5b59327c5650a50582df474cae7174dfafe3fa606876d218501f02cd3a25e05d0

    • SSDEEP

      12288:bMwhYlU9blucsKZ1XjfCTD/qp0xmk9qPARcQFY9fcNLqH66cOsFoTvGU5ZqLm:bMwhY+9blYKPGZx0PARxFWfcFqal/F4X

    Score
    10/10
    discoveryexecutionsnakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Saganashes.Com

    • Size

      51KB

    • MD5

      86971efe48eae4401b734e86152c12aa

    • SHA1

      93376b7df5fa9f5d363e263dd898b86e42e40ec0

    • SHA256

      8e626d6dc0bb24ed272eaec732b70f81e306c38eba28df9e96ce78d61a75e455

    • SHA512

      a04489dfa81e2fe20f1a8f07c562ed4a05f85b74d5745d6cb712252a46f997a7de6c9f11c3fa902c7c7b03f6ff8596e89e064c251b6a348dfb0d3b7ff6a02455

    • SSDEEP

      768:AN4iitGvtxOdn/KpRVkmzfjoAPPSQJorIsqd1d4FdJF9wBYExO4u5lwSnuzC:C6o7kn/KdHdf2rtC1d42BYExOT5lwQ

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks