snakekeylogger | 062d95745d360e9a0819bef06807be73822283b9f57226efd4aa3a10cf1d7ff2 | Triage

Submit
Reports

Overview

overview

Static

static

3

Detail-vir...df.exe

windows7-x64

Detail-vir...df.exe

windows10-2004-x64

Sharing

General

Target

Detail-virement-international-032024074900542060000000.pdf.lzh
Size

503KB
Sample

240628-fxwppawakq
MD5

f5f2c79b4a99867c96be919abedc80ed
SHA1

e2466674fe38845b36c7974653c6f2767e721763
SHA256

062d95745d360e9a0819bef06807be73822283b9f57226efd4aa3a10cf1d7ff2
SHA512

f10391585c392a060255a1f79834f201177bc7b2b3dd48bfc744b82c01ef28c9fa9ce12ec92e14a10e6c18a124d092d23429b355ec10734f3dcf26c9ffb120b6
SSDEEP

12288:mezbvvQB+/ptUlefnL81Wu1dqypYmOD2Lgrc:mObv4sBu31d/YsLX

Score

10^/10

snakekeylogger execution keylogger stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Detail-virement-international-032024074900542060000000.pdf.exe

Resource

win7-20240508-de

snakekeylogger execution keylogger stealer

windows7-x64

11 signatures

600 seconds

Behavioral task

behavioral2

Sample

Detail-virement-international-032024074900542060000000.pdf.exe

Resource

win10v2004-20240226-de

snakekeylogger execution keylogger stealer

windows10-2004-x64

11 signatures

600 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.sprayerbarn.com.au
Port:
587
Username:
[email protected]
Password:
Matthew@13

C2

https://scratchdreams.tk

Targets

- Target
  
  Detail-virement-international-032024074900542060000000.pdf.exe
- Size
  
  516KB
- MD5
  
  f582c7d4bea6603056786884cdad5412
- SHA1
  
  3fbcf63cf3ec4519cbb9360676da3a03bc368fb6
- SHA256
  
  120594fdeca3e974cb68fed91dac11294ba8cf36c0cb822c2f5ef279bb7a7633
- SHA512
  
  3161fdd82063997589ee0653e2ac46cce5da60b66500363944cb795c681b9d99acf5d3fb420bc10906f6ea89c321631bd13931b9606de157465ce363819eab4a
- SSDEEP
  
  12288:nsrVFmUYQ8WxgjUlefBL8RWu1ANz0w19OhI:srVFqWWwL1AqekW
Score

10^/10

snakekeylogger execution keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

snakekeyloggerexecutionkeyloggerstealer

behavioral2

snakekeyloggerexecutionkeyloggerstealer

© 2018-2024

Terms | Privacy