Overview

overview

10

Static

static

5

SAH0987800...90.exe

windows7-x64

5

SAH0987800...90.exe

windows10-2004-x64

10

out.exe

windows7-x64

out.exe

windows10-2004-x64

SAH0987800...VI.exe

windows7-x64

10

SAH0987800...VI.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SAH0987800.doc.tar

  • Size

    964KB

  • Sample

    241216-h9nwqazphw

  • MD5

    5420b0665644854be7d685f7004ac0cc

  • SHA1

    94c3c35e1e601de7ff8187f911d7946f985ff04f

  • SHA256

    a5c5035ec1d8d15588dbda751729f20b275fbcac8afab6e7fa1875c88f185dad

  • SHA512

    dc1d0fee70b5ec2c1a101139c32c043b7c1f70db2b7139d76f54721274be0b05aa049c6de5ec25adc918c2f1e0afc10bec9cf6103dc88c5bd1ec469463ae145e

  • SSDEEP

    24576:hH3Wh5oBIBJZDf6MsZ9BbK9XvkSSYk8tmka:AzoqXb6MO989fAYkD

Score
10/10
snakekeyloggercollectiondiscoverykeyloggerstealerupx

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      SAH0987800/SNKW976780090.exe

    • Size

      529KB

    • MD5

      a3aa7f4daceddd1ec8b2d9dbcfcf3018

    • SHA1

      6955a629c7b2b1fbe7ab8822814f52c1d1e2ea92

    • SHA256

      b4bea581890a1f0e57955751fff4878328d67e3ac7d7b825d8f7ef07603a4a82

    • SHA512

      e9223cd43b05b111c5f1f44e53a7296a223815f2d6e5aa373e8e11613eebd6dfd01c1998d67934b5dc76d1639f4a06a32e11d2bcd98969d34770f92ed7631b60

    • SSDEEP

      12288:BquErHF6xC9D6DmR1J98w4oknqOOCyQfATt2vFKQ:Erl6kD68JmlotQfPKQ

    Score
    10/10
    discoveryupxsnakekeyloggercollectionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Drops startup file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      out.upx

    • Size

      994KB

    • MD5

      bfed2f238dfd382a072acdca9e81f475

    • SHA1

      0ece438d0446d8e2dcbe27ae5ad973d9c7f04fa8

    • SHA256

      79c9e568e1ca1846815bbb3d58ef82e4c782d33c97a8448a50e0a8e062eb0b38

    • SHA512

      ba7e9ef22dd86066d4cacf3217309dfe2934f788f026c8a40e1a1e879cbfe8f33384aba266e77042860117acaad37cee0881f40fa60c14d1dc7e32678538e157

    • SSDEEP

      12288:7u6JWgXT7rKfXNeKgOIc0nAWY/ySWHDVz/Vovh7V1C0NnCGsorfgBDhTt2vFKQ:7u6J33O0c+JY5UZ+XC0kGsok6KQ

    Score
    1/10
    behavioral3behavioral4

    • Target

      SAH0987800/SNKW9767800VI.exe

    • Size

      760KB

    • MD5

      7d2e7fe5e83484bdecb1340d6613093c

    • SHA1

      f7418576b87e3bd3080a45fa58fcd98b4c842c0d

    • SHA256

      0d40cad28a1d700f892d938d9dc2622ac208a776160496f25c4c222a856acc20

    • SHA512

      f86adc12e19cdbc34d443d6ff7c1ffacb30e2d0ba705a2d6394c9770b3cf3a4b5a34e451d841b8514dd89d5458e0971ce3fbf62dba780ad6faaecc5a17938173

    • SSDEEP

      12288:rLkcoxg7v3qnC11ErwIhh0F4qwUgUny5QL7oAhiFI8Y:ffmMv6Ckr7Mny5QL77AlY

    Score
    10/10
    snakekeyloggercollectiondiscoverykeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks