Overview

overview

10

Static

static

1

194c843d51...f.docx

windows7-x64

10

194c843d51...f.docx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx

  • Size

    16KB

  • Sample

    240705-bxm1bs1gkg

  • MD5

    d5ab2de292b70d3a7f0fc16b236c325b

  • SHA1

    b7e498349dae307fdf4d08dfb5de5eccba4ac3d5

  • SHA256

    194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f

  • SHA512

    2a33a54389da5716021c2a3d181e27819d7c2bfcc4eb921fe4cbed4880b800901ee478f059c7f48375609e4e78f31874eeca5364df01d3fde49d9ef2744fe2ee

  • SSDEEP

    384:IyXKW7AWss8PL8wi4OEwH8TIbE91r2fRMJYvvid4ejeaS:IcK/b5P3DOqnYJKuvs4ejI

Score
10/10
snakekeyloggercollectionexecutionkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.ebizindia.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Duro Mausam

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.ebizindia.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Duro Mausam

Targets

    • Target

      194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f.docx

    • Size

      16KB

    • MD5

      d5ab2de292b70d3a7f0fc16b236c325b

    • SHA1

      b7e498349dae307fdf4d08dfb5de5eccba4ac3d5

    • SHA256

      194c843d5109edd9d14f1b459524dde024bd903d3e70616b9270263279b5416f

    • SHA512

      2a33a54389da5716021c2a3d181e27819d7c2bfcc4eb921fe4cbed4880b800901ee478f059c7f48375609e4e78f31874eeca5364df01d3fde49d9ef2744fe2ee

    • SSDEEP

      384:IyXKW7AWss8PL8wi4OEwH8TIbE91r2fRMJYvvid4ejeaS:IcK/b5P3DOqnYJKuvs4ejI

    Score
    10/10
    snakekeyloggercollectionexecutionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks