Overview

overview

10

Static

static

3

Order88983...DF.exe

windows7-x64

8

Order88983...DF.exe

windows10-2004-x64

10

Preallot.ps1

windows7-x64

3

Preallot.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order88983273293729387293828PDF.exe

  • Size

    696KB

  • Sample

    241113-ja9vksxgll

  • MD5

    fc3c5c65e7e4273fafe635355850a280

  • SHA1

    5d177e7833b900867c6cdcf688c67eaed267adc9

  • SHA256

    0caac3bbfaa97a7bbb02edb38c052afe206b3b02dae196b523b04b8ff3b108d7

  • SHA512

    adb239e96b1a26577a56a4c695ba9b209684dbd4f2bf1a22c7a237886d98377982ef0ad4a34309127637c11de95ee5dec7c3977111c78b98e269de96a6fc4beb

  • SSDEEP

    12288:G0mnA1zzwfuh5m0yZ5p1qNy7hAEav4So+r9t3DSDb4N7:uA1zzwfxZzM8AEav4NU3ewF

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7610532139:AAFiI3HHwFD6pWziyPu3lWJbRKPQtz0nD2c/sendMessage?chat_id=6680692809

Targets

    • Target

      Order88983273293729387293828PDF.exe

    • Size

      696KB

    • MD5

      fc3c5c65e7e4273fafe635355850a280

    • SHA1

      5d177e7833b900867c6cdcf688c67eaed267adc9

    • SHA256

      0caac3bbfaa97a7bbb02edb38c052afe206b3b02dae196b523b04b8ff3b108d7

    • SHA512

      adb239e96b1a26577a56a4c695ba9b209684dbd4f2bf1a22c7a237886d98377982ef0ad4a34309127637c11de95ee5dec7c3977111c78b98e269de96a6fc4beb

    • SSDEEP

      12288:G0mnA1zzwfuh5m0yZ5p1qNy7hAEav4So+r9t3DSDb4N7:uA1zzwfxZzM8AEav4NU3ewF

    Score
    10/10
    discoveryexecutionsnakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Preallot.Fer

    • Size

      53KB

    • MD5

      ab917b684f578574a32d681b79310931

    • SHA1

      4646d2ee1e976e7a38d69eaf3b76650338e99072

    • SHA256

      2ef655a8f10840167370d2903c93bc173b78462bcfd776652dc2655d8e4670c1

    • SHA512

      6085fcf5e4c7ffb86abcf2a9b11f5e7881944b688c4d8bbb4f283b417da3e681fc60277620b7b351aff9fefa6db7d917006fc5f9d3959822db8f79f5f18aabd7

    • SSDEEP

      1536:0weNWLuYtjHmf6LVumJXXVlfpKcaBNiqH:zBtKMMmJXlxQfBNdH

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks