Extracted

• • Target

    PO#7372732993039398372372973928392832973PDF.exe

  • Size

    802KB

  • MD5

    1894ec28b39f16b101d1e6c87b86e485

  • SHA1

    b500406168d64fa7d732249c1110f3fc29c17837

  • SHA256

    74a179d75552a0768d8857d11e5e2c2481e416735291ac98332a504cdb60ba35

  • SHA512

    005389271912b29cc8f7ccab93123ae1a7d7ed2341e520f0d2e0d4054ac2119735eae40ed7891796b55d0e150ac6f06b232119975cded446ee50bad6d398042b

  • SSDEEP

    24576:gMwhYSztYf+EDrseJDWIrxdJJ+Zx0PARxFWfcFqal/F4X5ZikM:gMwhNzKfNnsNiH3+Zq+WfQiX54

  Score

  10^/10

  discoveryexecutionsnakekeyloggerkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Blocklisted process makes network request

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    Clinopinacoidal/Upchuck.Sli

  • Size

    54KB

  • MD5

    282abf9b52e4ae72cead97089f079dad

  • SHA1

    b3273b1372e49947e159b541ff829e7206e95650

  • SHA256

    1f16b8c905f2d8f6fe3e3b6f08a8a18259d81cc7f918a7a61bb8f2954a704a20

  • SHA512

    54ef11fc44dff9bf94d324b428c70b6e895b15300303b226c029cee86b8f1dc27bcdc8751c86d5250364c30384cafb85c145dee32337c6b992a55b72e2e5bf2b

  • SSDEEP

    1536:24zKIs9vN0uSPLvogyzm1qY3ny+z2iCNLuSU0Q/4hxRzGvs6vh:RzqvYTOCqY3XXfeRgrJ

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4