Overview

overview

10

Static

static

3

02a274eea2...76.exe

windows7-x64

8

02a274eea2...76.exe

windows10-2004-x64

10

Evighedskalenders.url

windows7-x64

1

Evighedskalenders.url

windows10-2004-x64

1

Trttes.ps1

windows7-x64

3

Trttes.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    02a274eea2ece1b7eebcc8f24892f1315675fb5d9b096cfb10dbb3215b902a76.exe

  • Size

    663KB

  • Sample

    241115-sl4x5sweqk

  • MD5

    2b3e92e864f53c18bb0eae31da025f10

  • SHA1

    fdc8132052d658fe205dce9b67339b43a3f8b3c8

  • SHA256

    02a274eea2ece1b7eebcc8f24892f1315675fb5d9b096cfb10dbb3215b902a76

  • SHA512

    78032027ce8a31eb529f636769ef38f565edb4b12d16f9c0a112af7d06352df1ee64acd3d9225d495df734309d04bf008d236812b68add96dc89381443f4b6bb

  • SSDEEP

    12288:G0mnA1ztovdMjb6RIA7ENUGyOwFxDVin19zIor9t3DSDb4NJ:uA1ztovKQM6Gy5mnDz33ewf

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7610532139:AAFiI3HHwFD6pWziyPu3lWJbRKPQtz0nD2c/sendMessage?chat_id=6680692809

Targets

    • Target

      02a274eea2ece1b7eebcc8f24892f1315675fb5d9b096cfb10dbb3215b902a76.exe

    • Size

      663KB

    • MD5

      2b3e92e864f53c18bb0eae31da025f10

    • SHA1

      fdc8132052d658fe205dce9b67339b43a3f8b3c8

    • SHA256

      02a274eea2ece1b7eebcc8f24892f1315675fb5d9b096cfb10dbb3215b902a76

    • SHA512

      78032027ce8a31eb529f636769ef38f565edb4b12d16f9c0a112af7d06352df1ee64acd3d9225d495df734309d04bf008d236812b68add96dc89381443f4b6bb

    • SSDEEP

      12288:G0mnA1ztovdMjb6RIA7ENUGyOwFxDVin19zIor9t3DSDb4NJ:uA1ztovKQM6Gy5mnDz33ewf

    Score
    10/10
    discoveryexecutionsnakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Evighedskalenders.Url

    • Size

      297KB

    • MD5

      5486b2628ef878dcf6c0ff20fb44e1b2

    • SHA1

      348bd502c7c5d043b96b56d12031422dabdbfc4c

    • SHA256

      988aec254517a9ed62e9aee0ef9d5d3888600d915eea4e89ae803e298c6e3071

    • SHA512

      bb450c02386e09fd27b7f91a8d72f387f05232819caf815caf433fb1efc5b2c6c5455ff6fe1e6e050aa14483cef5bcc9736a74bcdc13d43110a7131908a9b1f8

    • SSDEEP

      6144:p9cW1YcfDZ3tMpgcrPoGoj2ovW4sEWBfUSmmXNOpedbuKGhwboUFddphW2ra3+:pfYcfDZ3tMpgcrPoGojJwEWlU1mdOpez

    Score
    1/10
    behavioral3behavioral4

    • Target

      Trttes.Lsg30

    • Size

      49KB

    • MD5

      7e324ee649b79b8d21cc35127546dc6f

    • SHA1

      852fdc7255cff49666a79a8f1b196340679360bb

    • SHA256

      ff5d64b1291d7f4d4f9274beb4a0f9bb49870cd80134a8b5392913154449b1fb

    • SHA512

      df3d449df9c2e7a5258256ee5dfec849e3d5a4953674e203217e59fc2ad12fd2b44443031b1749f73e1d7051536e1db7a87bcc82a0c2cd151d17ce05422089f1

    • SSDEEP

      768:llG7WqfCgl77rSbS6gD6cl9540oemcgtt0pyhFQzEaK1mHIZGX/SwjlZBqEH:LRqR77GzgD6M40oQgHHQzEx1mdX/SwV

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks