Overview

overview

10

Static

static

3

4dd290b26a...3f.exe

windows7-x64

8

4dd290b26a...3f.exe

windows10-2004-x64

10

Formaalsbe...rs.ps1

windows7-x64

3

Formaalsbe...rs.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4dd290b26a372dbce70e2804f4cb514d8d2ad621d6844acb9933d72efdcb893f.exe

  • Size

    685KB

  • Sample

    241115-cz1vmsxdnp

  • MD5

    2032c338e04d0b5a60eef3f7b7328891

  • SHA1

    352126118e6c6ce3c595c6ac589a70b96cdcc322

  • SHA256

    4dd290b26a372dbce70e2804f4cb514d8d2ad621d6844acb9933d72efdcb893f

  • SHA512

    7aea68700ce219007212c465be4dd752e04f16584cfdfdcb0bf56f99b357f731934e00ae0efc5c5dab29ad5a5735e280ac37a0c425c2a78009875195aacb2696

  • SSDEEP

    12288:G0mnA1zA7zDwONNpP0cldbpH3RfKNmucxdiUWIJiGar9t3DSDb4N5:uA1zALdNpPRllR3NUmuq016Bg3ewH

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7610532139:AAFiI3HHwFD6pWziyPu3lWJbRKPQtz0nD2c/sendMessage?chat_id=6680692809

Targets

    • Target

      4dd290b26a372dbce70e2804f4cb514d8d2ad621d6844acb9933d72efdcb893f.exe

    • Size

      685KB

    • MD5

      2032c338e04d0b5a60eef3f7b7328891

    • SHA1

      352126118e6c6ce3c595c6ac589a70b96cdcc322

    • SHA256

      4dd290b26a372dbce70e2804f4cb514d8d2ad621d6844acb9933d72efdcb893f

    • SHA512

      7aea68700ce219007212c465be4dd752e04f16584cfdfdcb0bf56f99b357f731934e00ae0efc5c5dab29ad5a5735e280ac37a0c425c2a78009875195aacb2696

    • SSDEEP

      12288:G0mnA1zA7zDwONNpP0cldbpH3RfKNmucxdiUWIJiGar9t3DSDb4N5:uA1zALdNpPRllR3NUmuq016Bg3ewH

    Score
    10/10
    discoveryexecutionsnakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Formaalsbestemmelsens/Omraadenummers.Ter

    • Size

      52KB

    • MD5

      d6f8f522a812d7fe69126e347b3d9ca2

    • SHA1

      3b2f8aa331cb4b435dd736b9ae1ed8ee6a5f1a28

    • SHA256

      224fc25fabc123f64dcd7b8343ccdcf3398b0735c9c4604c6cdc6e2f4e270721

    • SHA512

      7ec46b8c274c1a86e04ec72fb34c6081a5f47c6e1ddb5aeb2a69ea3fd70b7ee01c69842310bc11a84f6d1abb4cda1b13c0fdd4c9a47fda09ca7d819f2c6e278c

    • SSDEEP

      1536:aSYMsWFDKzJv6bkzrRfOfNqHG3Nbt49lKSY5g2z3S:aSaW8tvBGFqHG3Nby9lKbS2zC

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks