Managed XDR

9410a355-a47c-464d-743...-b2b8-e1eba76edd00.eml (SnakeKeylogger) — malware analysis report

File info

Filename
9410a355-a47c-464d-743e-08dcb0649f0d-88a37322-c4c9-a2db-b2b8-e1eba76edd00.eml
File type
RFC 822 mail, UTF-8 Unicode text, with CRLF line terminators
File size
34.3 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
03add8ce793dd9043c7de8366c5973624b6c91de
SHA256
e464508deff2c00f2cf76e3629098432a8fce54014c6e6c25b25051f2286a0bd
MD5
3dec244320daac1a2c4ba14b64a3f0c1

Malwares

  • SnakeKeylogger

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.001 url_cmdline: Cmdline of process contains URL
T1059.003 url_cmdline: Cmdline of process contains URL

Persistence

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1218 suspicious_cmdline: Executes a suspicious command
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antivm_network_adapters: Checks NIC addresses
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.001 antivm_queries_computername: Retrieves the computer name
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1070 stealth_window: A process created a hidden window

Discovery

T1497.001 antivm_network_adapters: Checks NIC addresses
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antivm_queries_computername: Retrieves the computer name

Command and Control

T1102.003 cloud_discord: Connects to cloud services of Discord (potentially for malicious payload delivery)
T1071.001 network_http: Performs HTTP requests

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
creates_exe: Creates executable files in the file system
static_pe_anomaly: The PE file structure contains anomalies
copies_self: Creates a copy of itself
ip_domains: Identifies an IP address using external resources
suspicious_process_network: Unusual process network activity detected
process_crashed: One of the processes has failed
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
dotnet_import_unmanaged_code: Dotnet program statically imports unmanaged functions/modules
get_policy_info: Retrieves information about a Policy object
test_check_service: Starts services
dotnet_suspicious_module_name: Dotnet program has suspicious module name

Related reports