Extracted

• • Target

    z3maxx.exe

  • Size

    953KB

  • MD5

    fa1a625ed0d0c6326f18bc5cffdd1082

  • SHA1

    429ef29fa97b129fea74691bb20eebf29c47995c

  • SHA256

    7e590d991cf1e6437537909c294ca17948bba91dca4305998ff6bc20e9550d57

  • SHA512

    112676862516fd63f152ab38e3557e06d2e3b37b5b55b3edc65afc85a4c170d5b993fe1c915eb03616074ad630735b48f7864502322e239f74324420e151725a

  • SSDEEP

    24576:zAHnh+eWsN3skA4RV1Hom2KXFmIa/PNa45:+h+ZkldoPK1Xa/Fx

  Score

  10^/10

  snakekeyloggercollectiondiscoverykeyloggerstealeradwarepersistenceprivilege_escalation

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Accesses Microsoft Outlook profiles

    collection

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2