snakekeylogger | a9ba86161cb89de53aed44c5bc25ffd09dc5c8091f87e52618a3ef009d381c46 | Triage

Submit
Reports

Overview

overview

Static

static

GFS_03781.xls.exe

windows7_x64

GFS_03781.xls.exe

windows10_x64

Sharing

General

Target

GFS_03781.xls.exe
Size

1.2MB
Sample

210121-qf48hr634s
MD5

9919da45b26135c4e371eb596f9697e9
SHA1

00766ab33ae85e995be911f9ac425a00a2d69fca
SHA256

a9ba86161cb89de53aed44c5bc25ffd09dc5c8091f87e52618a3ef009d381c46
SHA512

a48d1c9d5ea5aadc571a314bff7d1dd9cb6cc0fb07eada1fba9577686ebfbd6e9ead99c30eb5f125b4bb958c3e3014ad70c874d047e0231cb3e4d0b8ddbb6601

Score

10^/10

snakekeylogger keylogger persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

GFS_03781.xls.exe

Resource

win7v20201028

snakekeylogger keylogger persistence ransomware spyware stealer

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

GFS_03781.xls.exe

Resource

win10v20201028

snakekeylogger keylogger persistence ransomware spyware stealer

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  GFS_03781.xls.exe
- Size
  
  1.2MB
- MD5
  
  9919da45b26135c4e371eb596f9697e9
- SHA1
  
  00766ab33ae85e995be911f9ac425a00a2d69fca
- SHA256
  
  a9ba86161cb89de53aed44c5bc25ffd09dc5c8091f87e52618a3ef009d381c46
- SHA512
  
  a48d1c9d5ea5aadc571a314bff7d1dd9cb6cc0fb07eada1fba9577686ebfbd6e9ead99c30eb5f125b4bb958c3e3014ad70c874d047e0231cb3e4d0b8ddbb6601
Score

10^/10

snakekeylogger keylogger persistence ransomware spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

snakekeyloggerkeyloggerpersistenceransomwarespywarestealer

behavioral2

snakekeyloggerkeyloggerpersistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy