Overview

overview

10

Static

static

3

2.exe

windows7-x64

8

2.exe

windows10-2004-x64

10

Chromonemal.ps1

windows7-x64

3

Chromonemal.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2.exe

  • Size

    682KB

  • Sample

    241115-nwdfqasphy

  • MD5

    6e62c2f3acd34a6cf4eee9f493ceb3a1

  • SHA1

    dc025bd9290f738c1870f7d9861da95af549dfd0

  • SHA256

    134be2720dc277e7be61620837bfd47e02892d9641294cbe4457d7bae4510a19

  • SHA512

    20beb4e7572a1026603399676dc55573105f2359d418aa504f73a8486337b1843ab9ea8db6ccd3bd11b05ff2686b3cefdadbbef321d7da546da9a733b7c626e9

  • SSDEEP

    12288:G0mnA1zxuAL9BFGFx6Dpu/ay+xSnliR6r9t3DSDb4NF:uA1zxumVoIDIikcu3ewb

Score
10/10
snakekeyloggerdiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7610532139:AAFiI3HHwFD6pWziyPu3lWJbRKPQtz0nD2c/sendMessage?chat_id=6680692809

Targets

    • Target

      2.exe

    • Size

      682KB

    • MD5

      6e62c2f3acd34a6cf4eee9f493ceb3a1

    • SHA1

      dc025bd9290f738c1870f7d9861da95af549dfd0

    • SHA256

      134be2720dc277e7be61620837bfd47e02892d9641294cbe4457d7bae4510a19

    • SHA512

      20beb4e7572a1026603399676dc55573105f2359d418aa504f73a8486337b1843ab9ea8db6ccd3bd11b05ff2686b3cefdadbbef321d7da546da9a733b7c626e9

    • SSDEEP

      12288:G0mnA1zxuAL9BFGFx6Dpu/ay+xSnliR6r9t3DSDb4NF:uA1zxumVoIDIikcu3ewb

    Score
    10/10
    discoveryexecutionsnakekeyloggerkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Chromonemal.Opg

    • Size

      53KB

    • MD5

      65171ebd8fd8c699770edee943ff09f1

    • SHA1

      dc17dd3e384f06c03015b136cc068c2973673981

    • SHA256

      73a4a59e35863571281154449961ab2a81ff47c3baa341d7de100287a0043274

    • SHA512

      f0f1c8a7dfa94feb7fc7e170ad4abfde9a4bc7d7af1a5c4cd763ca93484256a6a37fd5fb515345987af8daaedd812cfb3e0f5944ccdb0ee4983a0a71da53a144

    • SSDEEP

      1536:02be3lIq1gxBdV5jNQpNwrZHHoVmbclOHoEah/B66z:0OEj1EV5oYdIV2cXhwk

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks