Overview

overview

10

Static

static

1

2e39f29b75...fe.exe

windows7-x64

8

2e39f29b75...fe.exe

windows10-2004-x64

10

Biggings14...re.ps1

windows7-x64

3

Biggings14...re.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2e39f29b755fc805008c9e6f1176886fa8a95f24b747c7b89111a2760df010fe.exe

  • Size

    789KB

  • Sample

    241107-cqaxvstbmf

  • MD5

    05e37e00aeb345d46e0d6d227788d0e7

  • SHA1

    a0074e96d230f0a0bf8231a7abf6bc7cb628ed48

  • SHA256

    2e39f29b755fc805008c9e6f1176886fa8a95f24b747c7b89111a2760df010fe

  • SHA512

    2832448ce5601476d84c4a7a0cd405faaaf7cdf928892cd341e0f1f7850382f879b9d9fe4cc61131f3292f05cedfdc73cc4fdbe2ec54d4c108e429b181da3d63

  • SSDEEP

    24576:IMwhYyOsQzjhJj1kc3qZx0PARxFWfcFqal/F4X5ZiNI:IMwh9OR9JRvaZq+WfQiX56I

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot8040460346:AAFN58T9Y0-aqdzScEiebBO06S141L8RsSA/sendMessage?chat_id=6680692809

Targets

    • Target

      2e39f29b755fc805008c9e6f1176886fa8a95f24b747c7b89111a2760df010fe.exe

    • Size

      789KB

    • MD5

      05e37e00aeb345d46e0d6d227788d0e7

    • SHA1

      a0074e96d230f0a0bf8231a7abf6bc7cb628ed48

    • SHA256

      2e39f29b755fc805008c9e6f1176886fa8a95f24b747c7b89111a2760df010fe

    • SHA512

      2832448ce5601476d84c4a7a0cd405faaaf7cdf928892cd341e0f1f7850382f879b9d9fe4cc61131f3292f05cedfdc73cc4fdbe2ec54d4c108e429b181da3d63

    • SSDEEP

      24576:IMwhYyOsQzjhJj1kc3qZx0PARxFWfcFqal/F4X5ZiNI:IMwh9OR9JRvaZq+WfQiX56I

    Score
    10/10
    discoveryexecutionsnakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Biggings148/Soranere.Red198

    • Size

      54KB

    • MD5

      45a45d4ca67207bba6b7c59f4516279d

    • SHA1

      3b366b1fb6a9e042c37162c8173f51a6b3690650

    • SHA256

      76a1abb4c1bea47aeda60dffe2c54b786dd79574a04f2267fa771ceb968d1cb5

    • SHA512

      ac0fc5884b44b0e0257545b36410e31de3542374872780b831cb0440cdab8759e7c40ba67ec542978a32aecd372ea72766b1e1ace321a4e9793757e862cd8076

    • SSDEEP

      1536:jE21LD6iMX98cWySJec5W2Q7oKzOraaeSo0:Y8eik1oec5a0sOrNeSo0

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks