Extracted

• • Target

    ORDER#73672-MAT373674849083403894808434PDF.exe

  • Size

    789KB

  • MD5

    a9ec7c7601e1a9e920c673f11f6822a0

  • SHA1

    1eae0a877e807c9e922ee17fcb84e7151c1903c0

  • SHA256

    7bc26c7ef9089a1b72821fe50dd72359674b683eabd5089cdfea3f46c01c2daa

  • SHA512

    68c58c290ef6f3073fffa448ec9247af351c99180773964f87ee9df756b854422525d93b7092eb06047889c24bf3efd5d179c8060ca6ae631889ebcba44f994c

  • SSDEEP

    24576:+MwhYTNtE44ooIq/Zx0PARxFWfcFqal/F4X5Zi7:+MwhoMBjIwZq+WfQiX56

  Score

  10^/10

  discoveryexecutionsnakekeyloggerkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Blocklisted process makes network request

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    Autografere.Pre

  • Size

    53KB

  • MD5

    41d376695f4d2ba3de8a8fd41976cffa

  • SHA1

    51c8832e28ecfd83020dc5cb125ed4adddfd480d

  • SHA256

    070a3ec2310cb2b3742f535ca0e3d25a4209280d7757b0349522b6a905d77c45

  • SHA512

    b6d176e6132a5445b2791637f073f32d93be65a1cdb0914e3fcfa706c89fbfc6e0bce0d748da32ccac51884241ec0996e15ffbf7aab7a985427e41456760ca60

  • SSDEEP

    768:iPbW+iLXLP62G7zF/pKyEt8qoSTYiIzybFwuhAYwG4csOMlKQpd2bJz:IbW+iLXLWlhKyC8cYvUwAAiCZdU

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4