Extracted

• • Target

    6f8a2474ce15e5e5190f6b97bfbf8da3b63224d41e4e7809acb3e1fe328a0784

  • Size

    701KB

  • MD5

    85243ec170323f84e83bd29723bf47ea

  • SHA1

    b3e2f340d0b9d4d5407f82e16990daa0cbe3b18c

  • SHA256

    6f8a2474ce15e5e5190f6b97bfbf8da3b63224d41e4e7809acb3e1fe328a0784

  • SHA512

    22843a3a0b24b18346f3a3d9fcfb7c10c23d6efe23879ad78fa08a6652716df6646a6b09f6a6cab774df719fbd865b94f9b97cfde3919c7e8abd2184bb556bf0

  • SSDEEP

    12288:G0mnA1zIjZX7y3mc6zhqCnpAYehgvF1L9IMqr9t3DSDb4Nq:uA1zOy2cQht/ehgd1LXw3ewg

  Score

  10^/10

  discoveryexecutionsnakekeyloggerkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Blocklisted process makes network request

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    Shoofa.Rad

  • Size

    52KB

  • MD5

    bec5624e576379638737b54edd121409

  • SHA1

    8bfc71d5fc5bec930fad4dc6e55dadddffc48fdc

  • SHA256

    599c9c4648fa3d92c019dc99419cd6e4129d5be92031269d042fca0f16c6ff80

  • SHA512

    0ba24ae0bb04460da8459df64b1a91e4bba1fad98028766215eb28e5512a108b8240b6e94f20fabfdeececad40af929c7090e24ac529056901a689f7a1b2bd5f

  • SSDEEP

    1536:pi3FuKXDbqUDEMSWwH141TJj1Z4VVUPXxLXIxnm9:OFjzbqUmWr1zZ4QZDIxnm9

  Score

  8^/10

  executionpersistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  behavioral3behavioral4