Overview

overview

10

Static

static

3

738532ed75...50.exe

windows7-x64

8

738532ed75...50.exe

windows10-2004-x64

10

Evighedskalenders.url

windows7-x64

1

Evighedskalenders.url

windows10-2004-x64

1

Trttes.ps1

windows7-x64

3

Trttes.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    738532ed75db18650d507e33de23fc624a91ce76fff5a704310be17635f45450.exe

  • Size

    663KB

  • Sample

    241115-c5awea1lel

  • MD5

    fa43b6f6caf5540ba0f6d0086388a3aa

  • SHA1

    a093a22d20628af8c60ccb7788d1dacb13256e0f

  • SHA256

    738532ed75db18650d507e33de23fc624a91ce76fff5a704310be17635f45450

  • SHA512

    2f942fb33e8030e9de59dc5bd8d28747ef3b5d6a2b40165e8e6e983f234554d2eb7b5bf3e8b0e87c8c15aa8ae6e528a5578fe6c785848b7e164aafd53d83124e

  • SSDEEP

    12288:G0mnA1ztovdMjb6RIA7ENUGyOwFxDVin19zIor9t3DSDb4Np:uA1ztovKQM6Gy5mnDz33ew/

Score
10/10
snakekeyloggerdiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7610532139:AAFiI3HHwFD6pWziyPu3lWJbRKPQtz0nD2c/sendMessage?chat_id=6680692809

Targets

    • Target

      738532ed75db18650d507e33de23fc624a91ce76fff5a704310be17635f45450.exe

    • Size

      663KB

    • MD5

      fa43b6f6caf5540ba0f6d0086388a3aa

    • SHA1

      a093a22d20628af8c60ccb7788d1dacb13256e0f

    • SHA256

      738532ed75db18650d507e33de23fc624a91ce76fff5a704310be17635f45450

    • SHA512

      2f942fb33e8030e9de59dc5bd8d28747ef3b5d6a2b40165e8e6e983f234554d2eb7b5bf3e8b0e87c8c15aa8ae6e528a5578fe6c785848b7e164aafd53d83124e

    • SSDEEP

      12288:G0mnA1ztovdMjb6RIA7ENUGyOwFxDVin19zIor9t3DSDb4Np:uA1ztovKQM6Gy5mnDz33ew/

    Score
    10/10
    discoveryexecutionsnakekeyloggerkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Evighedskalenders.Url

    • Size

      297KB

    • MD5

      5486b2628ef878dcf6c0ff20fb44e1b2

    • SHA1

      348bd502c7c5d043b96b56d12031422dabdbfc4c

    • SHA256

      988aec254517a9ed62e9aee0ef9d5d3888600d915eea4e89ae803e298c6e3071

    • SHA512

      bb450c02386e09fd27b7f91a8d72f387f05232819caf815caf433fb1efc5b2c6c5455ff6fe1e6e050aa14483cef5bcc9736a74bcdc13d43110a7131908a9b1f8

    • SSDEEP

      6144:p9cW1YcfDZ3tMpgcrPoGoj2ovW4sEWBfUSmmXNOpedbuKGhwboUFddphW2ra3+:pfYcfDZ3tMpgcrPoGojJwEWlU1mdOpez

    Score
    1/10
    behavioral3behavioral4

    • Target

      Trttes.Lsg30

    • Size

      49KB

    • MD5

      7e324ee649b79b8d21cc35127546dc6f

    • SHA1

      852fdc7255cff49666a79a8f1b196340679360bb

    • SHA256

      ff5d64b1291d7f4d4f9274beb4a0f9bb49870cd80134a8b5392913154449b1fb

    • SHA512

      df3d449df9c2e7a5258256ee5dfec849e3d5a4953674e203217e59fc2ad12fd2b44443031b1749f73e1d7051536e1db7a87bcc82a0c2cd151d17ce05422089f1

    • SSDEEP

      768:llG7WqfCgl77rSbS6gD6cl9540oemcgtt0pyhFQzEaK1mHIZGX/SwjlZBqEH:LRqR77GzgD6M40oQgHHQzEx1mdX/SwV

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks