Overview

overview

10

Static

static

1

89360a01c9...e5.exe

windows7-x64

8

89360a01c9...e5.exe

windows10-2004-x64

10

Snurre.ps1

windows7-x64

3

Snurre.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    89360a01c95a9aee2ea2af6fe15693baefabe2d31beb3c43fcbc390d73c3bee5

  • Size

    989KB

  • Sample

    241130-yxbnmatmfv

  • MD5

    2412cbbed6081fd40494028b7ff5e791

  • SHA1

    0f404ae35ee0193e07a6cc26391f7560ec103ab9

  • SHA256

    89360a01c95a9aee2ea2af6fe15693baefabe2d31beb3c43fcbc390d73c3bee5

  • SHA512

    03ea2096fa8c34f668c301549d6dd7152e24e8d50b9cf5fca63452eecf720bac0e084ddc56a28cf558b2da32c3e5cb7cc036e06eb9735c4a443a7ffe75aeb055

  • SSDEEP

    24576:K+63kmIlyh9fgMAC7Nr8xAGuwIm/yWiopvC9wi:K+TOflm/RaWi6Mwi

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      89360a01c95a9aee2ea2af6fe15693baefabe2d31beb3c43fcbc390d73c3bee5

    • Size

      989KB

    • MD5

      2412cbbed6081fd40494028b7ff5e791

    • SHA1

      0f404ae35ee0193e07a6cc26391f7560ec103ab9

    • SHA256

      89360a01c95a9aee2ea2af6fe15693baefabe2d31beb3c43fcbc390d73c3bee5

    • SHA512

      03ea2096fa8c34f668c301549d6dd7152e24e8d50b9cf5fca63452eecf720bac0e084ddc56a28cf558b2da32c3e5cb7cc036e06eb9735c4a443a7ffe75aeb055

    • SSDEEP

      24576:K+63kmIlyh9fgMAC7Nr8xAGuwIm/yWiopvC9wi:K+TOflm/RaWi6Mwi

    Score
    10/10
    discoveryexecutionsnakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Snurre.Cha

    • Size

      53KB

    • MD5

      4222c382a9b09c226558bab62b4eb82c

    • SHA1

      0ba5c66496bce81da9f06b7d8896fced50ad4e68

    • SHA256

      381fce3fd3f4ea5e4c3dc3bce71055559d363e87199a0222a4d81ab93e3f3542

    • SHA512

      4d1712e1f76fce09c1d74fca76006f71fa31de804076df35e6ec2acaae736b113e8a264e9263f64cce798ead11f785e89266f762b69d2aa739e233ea14ee2135

    • SSDEEP

      1536:9Xeg23NxR2vxjaKCA2YrsqQVYK8raHlMSoku+3/YBGgu+EgogL0:c3Nb6sKCTPYFa9HwBGguTgogw

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks