snakekeylogger | b9bc7b1adca24293d38533d4af80b11fd24df9e28b1271f508f3047884b869bf

General

Target

PO#940834894039430849484803408.PDF.exe
Size

793KB
Sample

241108-kxqkwszdqk
MD5

c87c5a7ad95494abcb368fbfbe5508fd
SHA1

0e33726a7647be3c9753240857c4cdfaf7a4b851
SHA256

b9bc7b1adca24293d38533d4af80b11fd24df9e28b1271f508f3047884b869bf
SHA512

1d45aabe8e0855f76c6b3a894b35480783f4f9fcde665dc08d90ae43c84962d9cf02971199718fa57a10711b808b16220a76cb3811c25501905380d4887444b9
SSDEEP

24576:mMwhYkaCzmb6f2b/hNZx0PARxFWfcFqal/F4X5Zi:mMwh0Omb7PZq+WfQiX5

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot8040460346:AAFN58T9Y0-aqdzScEiebBO06S141L8RsSA/sendMessage?chat_id=6680692809

Targets

- Target
  
  PO#940834894039430849484803408.PDF.exe
- Size
  
  793KB
- MD5
  
  c87c5a7ad95494abcb368fbfbe5508fd
- SHA1
  
  0e33726a7647be3c9753240857c4cdfaf7a4b851
- SHA256
  
  b9bc7b1adca24293d38533d4af80b11fd24df9e28b1271f508f3047884b869bf
- SHA512
  
  1d45aabe8e0855f76c6b3a894b35480783f4f9fcde665dc08d90ae43c84962d9cf02971199718fa57a10711b808b16220a76cb3811c25501905380d4887444b9
- SSDEEP
  
  24576:mMwhYkaCzmb6f2b/hNZx0PARxFWfcFqal/F4X5Zi:mMwh0Omb7PZq+WfQiX5
Score

10^/10

discovery execution snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Wambles/Firtallene.Kon
- Size
  
  52KB
- MD5
  
  3bc6283487e6d24c936852451b413c2a
- SHA1
  
  8217f7a25aadbe7b9f081d045b6899ef3df052fd
- SHA256
  
  61f5a6c21629c953a1759b9f51f6abfcf11e7e4e2d3defe593871f20d1e0715d
- SHA512
  
  1b94fe5a7869e223f21b5985fdb8a61bc90b8f4a4be5704ba6008b62f30710fd0da4c34f974d00bb566dee791b6fec41572be06074a6db80c39a46e6757aba2a
- SSDEEP
  
  1536:Jssv30hByqMxmagK9xwcQ8+L4M1Hkek1pJrwGMOU:JssKglt9O54M5yve
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4