snakekeylogger | ca5a0e2963dc959524712f6d71b937d20a2bf15a4fece708ede9a84b50bb2ebf | Triage

Sharing

General

Target

FACTURA_240001920.zip
Size

519KB
Sample

241114-l6v3eaxgkq
MD5

f1fc58a97fc3f2502b7cdd0d046ecf81
SHA1

02c028d780a63ccdd20b68cef08b6fa045cda1e3
SHA256

ca5a0e2963dc959524712f6d71b937d20a2bf15a4fece708ede9a84b50bb2ebf
SHA512

cd5ac2f3c35672aacd2916b2619099b32977c51263791c8e36f120ab69f3d9f4d79ba042377b046fc0e6466c48d29fd809566360086f8585cc726f1b4f40948d
SSDEEP

12288:ATnVHUif59VXBKLDCyNJV3g3p5EpwdOyPC:AFP5rBKHy51x6

Score

10^/10

snakekeylogger collection discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.tumteks.com
Port:
587
Username:
[email protected]
Password:
Tt36556300Ss.
Email To:
[email protected]

Targets

- Target
  
  FACTURA_240001920.zip
- Size
  
  519KB
- MD5
  
  f1fc58a97fc3f2502b7cdd0d046ecf81
- SHA1
  
  02c028d780a63ccdd20b68cef08b6fa045cda1e3
- SHA256
  
  ca5a0e2963dc959524712f6d71b937d20a2bf15a4fece708ede9a84b50bb2ebf
- SHA512
  
  cd5ac2f3c35672aacd2916b2619099b32977c51263791c8e36f120ab69f3d9f4d79ba042377b046fc0e6466c48d29fd809566360086f8585cc726f1b4f40948d
- SSDEEP
  
  12288:ATnVHUif59VXBKLDCyNJV3g3p5EpwdOyPC:AFP5rBKHy51x6
Score

7^/10

discovery execution
- Executes dropped EXE
behavioral1 behavioral2
- Target
  
  document.exe
- Size
  
  548KB
- MD5
  
  682e0e22ac2f06d26d24cac1769e1b80
- SHA1
  
  1302dd34b80e32415baacafecdfe31d61d0dd563
- SHA256
  
  51d366ab87eb5988f96d068d503d21b801b5df4535b8851364e56cbacb8fab82
- SHA512
  
  083c2225192987117d84bbbdbca228937f570fe31ca90aaff3a8cf6b4c1822a1b39523424723bc596056823c338cd7db193777b36487cf732bb526176935daa2
- SSDEEP
  
  12288:/BvLTWCL5Bj6NdVFB2dDG8DLh3g1prEPwdOC18:RhTmNFB2f2bJfG
Score

10^/10

discovery execution snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  Acclimate.Dec
- Size
  
  314KB
- MD5
  
  ab0b1f8d712c0b3f8cf3fdc0fedd0352
- SHA1
  
  bd67c0e83b022a846b9c005ef6130e9e810d5bf7
- SHA256
  
  433d5ffc66b965621e41f5af742682a475506f096daf6489fdb822b103812fae
- SHA512
  
  927a00d738d81894475420fe4f33a257b0512cb887ae144b16ec4ad4cc145dba8b2d10dc9bfdaccb06c3fc7b43e933b10b07ddee4571d2e061a34150a958fc3e
- SSDEEP
  
  6144:Xr6Aok3//lfwW9FUrW2IufYtVN/HBmHBV59EDszhAnT/f:+AjP/lfDYrW2nws9O4Of
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Ergometerets/marks.txt
- Size
  
  642B
- MD5
  
  045784ae6140b6244ad605a99a3ab908
- SHA1
  
  a7f43f2ac40159500446056db1c4c1d78f0c077d
- SHA256
  
  667a103a45337560380e63659aad2bbbdffd0ad9adfbcbc9e771fa0a62cb8a4d
- SHA512
  
  1bb0882e7bf868753154ad0037bc7476484743b3755bc148e372a84c9ea82f683dfa669fcb0383b9705678ebe478e20c6d51fee572e5c9b5cf08b0957789b525
Score

1^/10
behavioral7 behavioral8
- Target
  
  Myomectomy.Und
- Size
  
  72KB
- MD5
  
  ef1b436f4a2cb4f3dcc5b90c1fc1e3b7
- SHA1
  
  5e7751303869e1b5be0b5329e358d587838ec72d
- SHA256
  
  e44d99f5ed408fde60776bc82f30c9ebd9f1dad717cd5d050e9e58070b8af9f6
- SHA512
  
  344208d055522ee3c65383967f7f27b037e3a9af430a535897942a275c5e6f0af41e99c5a749ce1ac4cea5b2a61fbb1c1b15267973ce9c0d3eabc8fac4373d9d
- SSDEEP
  
  1536:+NdXwLaPniOJM5o7fuyl3B+izWxRJCYdhWyevmERoc4a3v1/DnJZUlE1:mdXwLX5YVlLzWxRIYdhkmEuRa3v9DbUk
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Unlearnability/quadding.tyr
- Size
  
  72KB
- MD5
  
  a959e5a5fd15840c3a0c589620a29fa4
- SHA1
  
  fae450e740c69aa7d2486f7a9acae6912b1a0b4a
- SHA256
  
  74f8506cdf0fc211b9abb284ec7b6f608d155b3b5060287f773abe80822ab3d3
- SHA512
  
  88269f17fceb7222d222c277fb0e1bd8c873743ff36bb45287cb5ba907429cd1edf17089ba17ca80377d86b87974421cc083d457a46bd9098c9fd5b007674b72
- SSDEEP
  
  384:QBTulxdphSS9mcIE5JeQrqaaMgjdK4hfYUaNuUE/sIzisU2bG+6:QBs9uE5jlasv3cw0GN
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Unlearnability/termitidae.for
- Size
  
  78KB
- MD5
  
  a16b4c5b79e878c5721c8a6c5a268534
- SHA1
  
  6dd40143064ac09f0b1a56f2506cadc99cb8408b
- SHA256
  
  cf500a247199a2a63e13af82aa1ad2a480474d7657be235920fa0bb49525e73b
- SHA512
  
  5f4a4b0c46613d19105151876e3dd43fbc2d15bdb5777f51c0ff2dc2b96130e0182088cfe2eaecb0e0eb4431a5e9f3167370f92ce51ce9cb9ad172282b2c21e7
- SSDEEP
  
  768:muoKeVhQXbD23MaW0pIw72HSQAwG5ih+b:ZeAuq+b
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  bayrernes.afv
- Size
  
  453KB
- MD5
  
  334c7f837a0f72e41601057332c603c9
- SHA1
  
  d1d92486f8e198af7061c9a0d1a58581dde0f996
- SHA256
  
  5ab0038204e3cbef3fd931858908121176cd57f84a551681552707eb1abfa59a
- SHA512
  
  52d077b6e8ab2ffd1ce9e018d1fce59ea48f22b8716bb6dec77a71238f0810156760b96a4a434c05c809983ac36a400fab0375cd72697f5e7171db6e0f3de52d
- SSDEEP
  
  1536:lbk1LH6GMgXzqftFrKcCFJrNI0DZgzXheDiUKfIXBd66GBG:lkZ6QXzqftocAJrNI0U066Gs
Score

3^/10

discovery
behavioral15 behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

behavioral3

discoveryexecution

behavioral4

snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16