Managed XDR

1-1633023177.m79063p91...-s-330819-w-335385_2-s (SnakeKeylogger) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
1-1633023177.m79063p919395.a2plcpnl0073.prod.iad2.secureserver.net-s-330819-w-335385_2-s
Тип файла
SMTP mail, UTF-8 Unicode text
Размер файла
323.1 KB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
929ab5a77a7b410977dfede60bf2d976a915de9f
SHA256
ff4445a6239d8b4db242fe19b1b0ae333ee62ffac11f41dd69ea250cebf10cf0
MD5
f14fb0e872029dd9609792fe564cf146

Вредоносное ПО

  • SnakeKeylogger

Сигнатуры

Execution

T1059 nsis_suspicious_filenames: Nsis contains files with suspicious names

Persistence

T1574 dropper_dll: Creates DLL, which is then loaded into the process

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1055.012 injection_runpe: Injects code into another process
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1027.002 nsis_archive: One of the packages is NSIS archive
T1027.002 nsis_suspicious_filenames: Nsis contains files with suspicious names
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization
T1480 system_default_lang_id_present: Checks the system language

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

Command and Control

T1071.001 winhttp_https: Performs HTTP/HTTPS requests using WinHttp

Other

yara_rules: Static rules
ce_info: Snake Keylogger Configuration Data found
network_bind: Starts servers listening at None
process_crashed: One of the processes has failed
net_dumps_in_native: .Net dumps have been found in native PE
creates_suspended_process: Creates suspended process
creates_exe: Creates executable files in the file system
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
pe_overlay: PE file contains overlay

Похожие отчёты

Managed XDR