General
-
Target
6AT6W_file.exe
-
Size
625KB
-
Sample
241213-vmnzeswrel
-
MD5
30e5e5a39df67a1138bf84db89a5eb47
-
SHA1
d269595a30fd1e49086c51f629e39c15200e0149
-
SHA256
1d409e94b935c68a4b4841a1b2e05c6abf1ea827c419eab8bf3ee23229574160
-
SHA512
365324ec484c65e7fb010f1a1fa5b5f97afef3e99d7e16e5ae753fe26da6a62c782196283ec71269a7198e6690de40fcc877f5f7b558a588f4994edfb95fe673
-
SSDEEP
12288:2dMdY9shQglOUQwZvb6JecS0W/0Wjz3lXsBHxxe70ZjwqmKH2JS:BdhlrQwIJe/bYxiqmm28
Static task
static1
Behavioral task
behavioral1
Sample
6AT6W_file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6AT6W_file.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7329625827:AAFusOMtNxAA4AfTt7YzeN1zaE4Sm-WxFiw/sendMessage?chat_id=8096159140
Targets
-
-
Target
6AT6W_file.exe
-
Size
625KB
-
MD5
30e5e5a39df67a1138bf84db89a5eb47
-
SHA1
d269595a30fd1e49086c51f629e39c15200e0149
-
SHA256
1d409e94b935c68a4b4841a1b2e05c6abf1ea827c419eab8bf3ee23229574160
-
SHA512
365324ec484c65e7fb010f1a1fa5b5f97afef3e99d7e16e5ae753fe26da6a62c782196283ec71269a7198e6690de40fcc877f5f7b558a588f4994edfb95fe673
-
SSDEEP
12288:2dMdY9shQglOUQwZvb6JecS0W/0Wjz3lXsBHxxe70ZjwqmKH2JS:BdhlrQwIJe/bYxiqmm28
-
Snake Keylogger payload
-
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2