Overview

overview

10

Static

static

1

02072024_0...p.docx

windows7-x64

10

02072024_0...p.docx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    02072024_0208_01072024_Bank slip.docx

  • Size

    16KB

  • Sample

    240702-ck17vswdkn

  • MD5

    d23ad6c57a2e42bc4d01a63c7957047a

  • SHA1

    0e6de0feaa8e9471395943675fdd2da07576c1bd

  • SHA256

    9d2722eed882f96fbe2c0cab9297cd0f8b180add761b034be81ebbed18acb33a

  • SHA512

    63fb9186a83f9c917ad110f986deb08fb36b4eaa3a254f4c421a55a85b21c6c976ac54ad41f0781095cc8125119838a489ad218bd274025a1a917b398392aa50

  • SSDEEP

    384:WyXHNatWqs8PL8wi4OEwH8TIbE91r2fRqJY8cviCv4zxUBZ72:WcHqx5P3DOqnYJUYvrv4lx

Score
10/10
snakekeyloggercollectionexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.artefes.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ArtEfes4765*+

Targets

    • Target

      02072024_0208_01072024_Bank slip.docx

    • Size

      16KB

    • MD5

      d23ad6c57a2e42bc4d01a63c7957047a

    • SHA1

      0e6de0feaa8e9471395943675fdd2da07576c1bd

    • SHA256

      9d2722eed882f96fbe2c0cab9297cd0f8b180add761b034be81ebbed18acb33a

    • SHA512

      63fb9186a83f9c917ad110f986deb08fb36b4eaa3a254f4c421a55a85b21c6c976ac54ad41f0781095cc8125119838a489ad218bd274025a1a917b398392aa50

    • SSDEEP

      384:WyXHNatWqs8PL8wi4OEwH8TIbE91r2fRqJY8cviCv4zxUBZ72:WcHqx5P3DOqnYJUYvrv4lx

    Score
    10/10
    snakekeyloggercollectionexecutionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks