Overview

overview

10

Static

static

1

511c823134...18.rtf

windows7-x64

10

511c823134...18.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ff06a87dd0550386be1f780d560f1877.bin

  • Size

    46KB

  • Sample

    240703-ecyg4swcqf

  • MD5

    3010e0df8deba35ee697028d21cd0251

  • SHA1

    c33b8f9c5fbb3071b2526085d109ea2dba0f6fd0

  • SHA256

    f856e5403a24692155bcd90d75a5198e0d1d91e9e33f2609ec4305e1478b6cdd

  • SHA512

    2cc0e535be4a61f60ae399f2e4a4f33d35a4db39d28af77924185eb4af0f84a0dbe48e28931d954f1037ec1bdb06359974bb42c9ad7134e535b7edfc9dd82fbe

  • SSDEEP

    768:mb+9yShEHfWQHElNpLt+kGSVwfaTFRrUrNzr7+Fye0dH5iiPBz2JGDI8B7j:T9/ShH8gkGSWfkCNX7+L0dwipzq6j

Score
10/10
snakekeyloggercollectionexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.artefes.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ArtEfes4765*+

Targets

    • Target

      511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18.doc

    • Size

      415KB

    • MD5

      ff06a87dd0550386be1f780d560f1877

    • SHA1

      69e95738ec635520a508f7424a759261e5032cb0

    • SHA256

      511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18

    • SHA512

      60e39f9628edbcb5118d53a2887c8f4879260d1d480a6a25960d58366fef2ca248b7115b521ff7de57c61063c1c35da0ac318fc22ad472b38b0cf34ecfd2534c

    • SSDEEP

      6144:PGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuVhG+qMh9c:xe

    Score
    10/10
    snakekeyloggercollectionexecutionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks