Overview

overview

10

Static

static

5

AWB_577138...ts.exe

windows7-x64

10

AWB_577138...ts.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    12022025_0745_AWB_5771388044ShippingDocuments.exe.iso

  • Size

    1006KB

  • Sample

    250212-jrpwqssphp

  • MD5

    101b556864063d0e842bb581c7492456

  • SHA1

    ef0687002abdbe3486e869673fda49b450c94274

  • SHA256

    36ce2e71313ad2166609ddafea38a5feab88af50ad694c99f3adc98925c3a5bf

  • SHA512

    46fce79402e4702da179f44f0c3a55cd39bd2d97b38f3555d2f16e3602b9865bf14307078cb9240ff9cbda55195f6131bb70b8fb247239eedafda3ad1c1ce112

  • SSDEEP

    24576:5u6J33O0c+JY5UZ+XC0kGso6Fa/raGseMWY:7u0c++OCvkGs9Fa/rzY

Score
10/10
snakekeyloggeradwarecollectiondiscoverykeyloggerpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot8123813718:AAE7xhJKgiVtPaoPZCfcx9AxRJoEs0MjRtc/sendMessage?chat_id=7607163233

Targets

    • Target

      AWB_5771388044 Shipping Documents.exe

    • Size

      945KB

    • MD5

      1f1533809fc5e519a2c0ed71fcc8fef6

    • SHA1

      559102913d846fe1f3042d6c705de207ad412aec

    • SHA256

      83e24368dec559238ef435c59635d6e259157f415edad801f904767e3c517687

    • SHA512

      73df594176249c02be3ef8dbca1bb954a86ac9d2bfc8884edc69845924cc03b41569153300c0ff717f25f4486406657dab737e20ae65cdf6485191593c86a048

    • SSDEEP

      24576:pu6J33O0c+JY5UZ+XC0kGso6Fa/raGseMWY:Lu0c++OCvkGs9Fa/rzY

    Score
    10/10
    snakekeyloggercollectiondiscoverykeyloggerstealeradwarepersistenceprivilege_escalation

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks