Overview

overview

10

Static

static

1

FACTURA N�...º.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    14042025_1526_14042025_FACTURA N 7.2520 1.tbz2

  • Size

    911KB

  • Sample

    250414-svnbrazly6

  • MD5

    2ce2209d6d678b9dba15b6e1b5dfa21d

  • SHA1

    9981eaa4caf8cb2d0c0913a72665218584e4fdc9

  • SHA256

    5ab0a5ce4208a69aee40dbe2a3b580051d643b552f7bfee56338fdf724a81d0e

  • SHA512

    495668a0c83da1e3fcb107a3ea5a5ac486e61f2e2436cc60b3d801dbc73a058ad1fb8dcba699f1e0d3a19d9b90ee90f960435f43637cac9b423c51d409ffd3d7

  • SSDEEP

    24576:x7pK4hcKk1UtVOAYxQrkoVi4O/kELhJ9o7o2cI8TeYSuXAIAohm5:x7pKik1klYx+jixcELNco2N8vpAZ

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7861423597:AAGuw8X75R5fZU_ucABf62dLoKBIKdyyem0/sendMessage?chat_id=7451270736

Targets

    • Target

      FACTURA Nº 7.2520 1º.exe

    • Size

      1013KB

    • MD5

      200d9fd5a05344273a986a42a29d6043

    • SHA1

      463c1215a8473d4c135af40a5c583544a32a3f17

    • SHA256

      e891f78a266e0c72e86cc6164dbd199f98e6c3f1a830b0185c1e5118092c461a

    • SHA512

      16102a69aaf1289360f7551badf7b334a654481fb318d17b8d8c14004d325d92a052f70068ddc33fa005299fdbe89523cd67b09216d3a6a410736aa9b777db64

    • SSDEEP

      24576:jG8VwDHu09EfvV973tch85j+nJuhUwY+s6iA4GuaJjt8+:qyjvV97dcyjIJuJ26Id+

    Score
    10/10
    snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Snakekeylogger family

      snakekeylogger

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v16

Tasks