Overview

overview

10

Static

static

1

f8b3078e40...aa.exe

windows7-x64

8

f8b3078e40...aa.exe

windows10-2004-x64

10

Saccate/Ch...no.ps1

windows7-x64

3

Saccate/Ch...no.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa

  • Size

    774KB

  • Sample

    241107-s1r7wsvejr

  • MD5

    35a14ec5e93e8606051d692c0510b4b2

  • SHA1

    58ffd63f713bf54c45237f3012cc92f624966376

  • SHA256

    f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa

  • SHA512

    a2d1173236b20a717d9ea402fd29540ce9ac002d49421d8343c34e7e63d5fcd8c9a3419ed130c677ac380b0a571cb7db23d6601cee19cc321045c0c035795c3c

  • SSDEEP

    12288:tPVXv0yQ9TUH2pKvC7oh/dDVJnvpeBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDs:NnnHLC2dfvpk5yRQLvf81BV2m6ionDu3

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa

    • Size

      774KB

    • MD5

      35a14ec5e93e8606051d692c0510b4b2

    • SHA1

      58ffd63f713bf54c45237f3012cc92f624966376

    • SHA256

      f8b3078e40bcfcd0c464054ab5d942bff72aa8c27aa6cf9838dd2daaac854caa

    • SHA512

      a2d1173236b20a717d9ea402fd29540ce9ac002d49421d8343c34e7e63d5fcd8c9a3419ed130c677ac380b0a571cb7db23d6601cee19cc321045c0c035795c3c

    • SSDEEP

      12288:tPVXv0yQ9TUH2pKvC7oh/dDVJnvpeBWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDs:NnnHLC2dfvpk5yRQLvf81BV2m6ionDu3

    Score
    10/10
    discoveryexecutionsnakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Saccate/Chiriguano.Ski

    • Size

      51KB

    • MD5

      6c30e6cb99e14b8e5446a9a5726167ed

    • SHA1

      01d799ef731cf409d29a51696fd3380b296f8730

    • SHA256

      3a0443fe99e0be036a5747d6c6a4a0202f5f55ffb8a338af90f829d8bbf5d5f6

    • SHA512

      39358a6fa774429954c0a599f55685608220eabeef19b6c9be1040169b65577d51c9306d537a248779a79b092e820fef7e9ee4f256297434c3677be7f75b8696

    • SSDEEP

      1536:kVpjFOKIF51+UTMIKwoQTOxBrlGtGfZWShL+m:sFO1FChNBg5EL+m

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks