Overview

overview

10

Static

static

1

5b23cfc94f...1N.exe

windows7-x64

5

5b23cfc94f...1N.exe

windows10-2004-x64

10

Tegnmaessig.ps1

windows7-x64

3

Tegnmaessig.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe

  • Size

    1000KB

  • Sample

    241216-g4q88azjdj

  • MD5

    d91a875cc245f3f2ba13a97c427d5880

  • SHA1

    39129185ab93c2ba972797c76434a59f950f4428

  • SHA256

    5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1

  • SHA512

    2a5dc3ee1c4c77248e50661c81df007b3c08c95a9648a37cf1abe53a4dd64a10d90d0a9cf50222d65773718f9e0255426ad8bab2da8c8c76b6a3e7bdbbb7e43c

  • SSDEEP

    24576:2NluSo4pxUzQcRhTfu4VI6vxoX9FRd/1zVg/X7VwP+jwqjXInHXUF/GmEZet2gk8:2NluSo4pxUzQcRhTfu4VI6vxoX9FRdNY

Score
10/10
snakekeyloggerdiscoveryexecutionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7557806283:AAFiqTWzN-gLgC-2y3c1Dz5CtqTp-HN6TYc/sendMessage?chat_id=7451270736

Targets

    • Target

      5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1N.exe

    • Size

      1000KB

    • MD5

      d91a875cc245f3f2ba13a97c427d5880

    • SHA1

      39129185ab93c2ba972797c76434a59f950f4428

    • SHA256

      5b23cfc94f6d1f5ecc2f38f0094ba78cf1496889d2d0f20453fec8cdebe6c2f1

    • SHA512

      2a5dc3ee1c4c77248e50661c81df007b3c08c95a9648a37cf1abe53a4dd64a10d90d0a9cf50222d65773718f9e0255426ad8bab2da8c8c76b6a3e7bdbbb7e43c

    • SSDEEP

      24576:2NluSo4pxUzQcRhTfu4VI6vxoX9FRd/1zVg/X7VwP+jwqjXInHXUF/GmEZet2gk8:2NluSo4pxUzQcRhTfu4VI6vxoX9FRdNY

    Score
    10/10
    discoveryexecutionsnakekeyloggerkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Tegnmaessig.Peb

    • Size

      55KB

    • MD5

      dbf1218b52e9c36ac61fd9588182d410

    • SHA1

      ca5b4f38b71cd9ca075b8c58d0841e56d8f49da8

    • SHA256

      8bebca4215d24a6f6ec02c135f9076a39d95ba3ae7a7487897021028ca219a68

    • SHA512

      fc50ae502ca65bed1884fd131bb89a7f5bb261079374101fe4d1d7ff1e03cffcf370c7cd7f096d65f92054164fbcc28d3e53e7f3b98c556f15fcd9f000f7e634

    • SSDEEP

      1536:2iPb6qkSSZ0oVqNj+pwQVV/P/Y99A7tGEijnOYN:BlSZ08qWwCtPqwtMx

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks