Overview

overview

10

Static

static

3

SOA SEPT.exe

windows7-x64

10

SOA SEPT.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    78640daf96e800aaa2f8f2d17b78a9ca692f21ca75cc093068f409f0488c067a

  • Size

    497KB

  • Sample

    241115-hpmsxszmbv

  • MD5

    125022ea147dd3b31cbfc6ff427b0e01

  • SHA1

    af4cf3cc35c2966eb81f295e0a46c454a88c5e71

  • SHA256

    78640daf96e800aaa2f8f2d17b78a9ca692f21ca75cc093068f409f0488c067a

  • SHA512

    6c381ded895f22a121aa3209f2ed3a3ef9ed908fe9480b1a3a986a87f29ae8f0e9501b177c81ed47847e02bdd56d63f006ef53440e1189b1858b2368e568b910

  • SSDEEP

    12288:S5I1Q6AxSy32PudjJqhBDgF3Y8S61L5l4AhCBmAh2D3t41:g4yxSy8FhM3Y8jF5uYW1

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7399492470:AAF1Q52TLq6uEICFiCVrLu9dpROnjh2wukI/sendMessage?chat_id=1443320838

Targets

    • Target

      SOA SEPT.exe

    • Size

      545KB

    • MD5

      29f1f7c0d09a311fe6cefc03075f12cc

    • SHA1

      778cf1a998de563ab9412b11834d5434a9cea9f8

    • SHA256

      e98c809fa3258402da807f6cec7900af1c8ebd1651e8bf2100e10d6380839e6d

    • SHA512

      a94046cdd4e0c6ea7bbb145af9287872e0524e770107a04f4ef0ddc105c08103094d5b6b17297518001ed669383b58633529cdded2230e73b86acb64eae45d97

    • SSDEEP

      12288:c3HI6QQiHv6sWPNl/MVe3qIEQPpYLu5MF+mRqPN9UsC:OHItQiPFONl/nDtUIZ5Pb

    Score
    10/10
    snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks