Extracted

• • Target

    AWB_5771388044Documentidispedizione.exe

  • Size

    951KB

  • MD5

    141e425e7651709ab6ec7fb5a42b5600

  • SHA1

    ad974c3dcc345aeffd2b76c946fd15d1ab65e61e

  • SHA256

    b2b61906721e2ccd1fe5de9c6db91732c08ec04ae16becfd3063a209459b0c43

  • SHA512

    164e5fd766b805ab33189460d2f2b5bbc2fad55bd3591cb8d043f6dc127ab57fd9a18bb3411e89de5da3b6c9b522f3887f91194ed81c2b710908534d8d90f9b9

  • SSDEEP

    24576:Eu6J33O0c+JY5UZ+XC0kGso6FaHenv0hD6HWY:+u0c++OCvkGs9FaHbtY

  Score

  10^/10

  snakekeyloggercollectiondiscoverykeyloggerstealeradwarepersistenceprivilege_escalation

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Downloads MZ/PE file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Accesses Microsoft Outlook profiles

    collection

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Installs/modifies Browser Helper Object

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2