snakekeylogger | 449bf249c170a1b3275c2a3ed45292244ecb49bf3be24ccef3809330de252d90

Sharing

Copy URL

Twitter E-mail

General

Target

29e1467e979c85abfbdd3da6b09e6c16.exe
Size

467KB
Sample

240701-qxsm5syakk
MD5

29e1467e979c85abfbdd3da6b09e6c16
SHA1

9cfa0ebefbc7ae0a2a87c255cae34c9e3ce239c5
SHA256

449bf249c170a1b3275c2a3ed45292244ecb49bf3be24ccef3809330de252d90
SHA512

00d7f1882e48222a94107b01734c4225461c28b39e7ff67597061360a1965b278962d3020406f4bcd6d38609d61e687f1b17e4f11735fc98697252bf0b17d79b
SSDEEP

6144:Ddnrsfcv+Q3KGZ+tJm5RliVL4KciREqBQPzF+eanHuU0LIyv5Vl0xq:KgkXm5zibmqBQPzEeqOUgHxB

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7169426142:AAG_Nuf4vFdD3YALIW-rE-UaNUDVey15SPM/sendMessage?chat_id=1545867115

Targets

- Target
  
  29e1467e979c85abfbdd3da6b09e6c16.exe
- Size
  
  467KB
- MD5
  
  29e1467e979c85abfbdd3da6b09e6c16
- SHA1
  
  9cfa0ebefbc7ae0a2a87c255cae34c9e3ce239c5
- SHA256
  
  449bf249c170a1b3275c2a3ed45292244ecb49bf3be24ccef3809330de252d90
- SHA512
  
  00d7f1882e48222a94107b01734c4225461c28b39e7ff67597061360a1965b278962d3020406f4bcd6d38609d61e687f1b17e4f11735fc98697252bf0b17d79b
- SSDEEP
  
  6144:Ddnrsfcv+Q3KGZ+tJm5RliVL4KciREqBQPzF+eanHuU0LIyv5Vl0xq:KgkXm5zibmqBQPzEeqOUgHxB
Score

10^/10

snakekeylogger collection evasion keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Disables RegEdit via registry modification
  evasion
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/Banner.dll
- Size
  
  3KB
- MD5
  
  71eab837b047124129461cb97f39745b
- SHA1
  
  6af00ad38ee73303b39970c96859ab6fe7cae584
- SHA256
  
  46cbb2797870de12aaac717da5c9bb9e2fab20d42e562d6c3925865caea2e81b
- SHA512
  
  66aa810dc1cd6e8e45ddd62ac88a4999b1b9a3c61aded5054ac8374d2ef5403021fa6bb104eb75c1f6ff4fdde5bc026f00c83dcb166febaaa47bebae0366276e
Score

1^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  10e8921a6e7f6a74671b07dc3bde626f
- SHA1
  
  b7961066600ef193c5319dbeed3673dc60110a50
- SHA256
  
  c85142f86e1ec02f7ef8d5ba31b22031de3de9a16bce519d5482b824afb277eb
- SHA512
  
  4c19a7e3117baeec3f6a7f9a33cfab392255741137406db87fe5ac24def7f9a28b2ed0fc26f0f46c5d43ba1bb6675dea74410a797bfd265e38812b042460aa00
- SSDEEP
  
  192:Q9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/UserInfo.dll
- Size
  
  3KB
- MD5
  
  3840a8875ee86c83b57b6e8eca96b013
- SHA1
  
  aeb5cd350b9bcc2e2903cf35da550e1223efead6
- SHA256
  
  b99a9f1783fa8156ce4480367e7b059b949fe083dbe66c7dc03e6bcc16f83f8b
- SHA512
  
  d0d1ebe62916b2e36664256f7e3d1009f8a928bccf0775943f6416255942fb5ac016b8459fc8fb91fd2a3ffb3272e3350578f12e1b5b40a44095ba6fc6f861c1
Score

3^/10
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsDialogs.dll
- Size
  
  9KB
- MD5
  
  800aa26b2eb417363bf7ec155cd6c845
- SHA1
  
  eaec626eefb36850a90c3ffaa7eab1b8750aad1d
- SHA256
  
  c40817e6948ff1b6e1983ef9dd4f21394a81336e9fe2aea826eafe02a8df047e
- SHA512
  
  2714bbaa04f481ac6fd83f64106688299d34e6af33d3e13b890c1ca72b0570b9867d427deaab48ae1ee3fe836976f9ac4dac12feb1624787b6fb2787c8db9577
- SSDEEP
  
  96:GIKf21CuHq37MPuQ7rA9auHav8ZwK03cONByZyImHcAqgvB05CZnthgvsSluspKd:G5Om342wrA5apH3/NYmciACZUEEpU
Score

3^/10
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  520d07e4bdab538c87b797d687717639
- SHA1
  
  569e5afdeee3cd6b2a77f715828ccb97b470f5fa
- SHA256
  
  9bf2482d0cdd486e1ec6d21eec00ac95538a7513a7f3c3ba117f7bf21a2b8f2d
- SHA512
  
  2302618d7b22913b11b1127378109f476de60f4231de377c5d0509b332e47efc12ca3294f3b36621eb7eb5b62b0a9ca98b5ef9692a807de58efd753594ab0185
- SSDEEP
  
  96:Jt4Vl/7Lo1UBrob9ljNEUgD7cyuM1x9XkraK2A2KAB5VVDyssKZ:Jt4Vlw1Iul5J8T1vK20I5VVGsb
Score

3^/10
behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Tasks

Sharing

General

Malware Config

Extracted

Targets

Snake Keylogger

Snake Keylogger payload

Disables RegEdit via registry modification

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12