snakekeylogger | e96b94843af6cd39424813c798b678d7202015ea488ff88d7be4ceee0ddfe531

General

Target

c46ec309dba61ffbeb74bacf4f54c969.exe
Size

448KB
MD5

c46ec309dba61ffbeb74bacf4f54c969
SHA1

33c01acc5e47638a25ec6d16a478ca088183d8c4
SHA256

e96b94843af6cd39424813c798b678d7202015ea488ff88d7be4ceee0ddfe531
SHA512

d6184f35fad278ab0b6074b7a0b0404e820574187a5ad7cb964ac0c4678216d43e40e278c59d5a6124472df6c489e6da87faef362ad5d1b688d04c84e9bfb61f

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
pro40.emailserver.vn
Port:
587
Username:
[email protected]
Password:
Vexa@2013

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1452-3-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral2/memory/1452-4-0x000000000046555E-mapping.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 checkip.dyndns.org
13 freegeoip.app
14 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

c46ec309dba61ffbeb74bacf4f54c969.exe

description pid process target process

PID 2604 set thread context of 1452 2604 c46ec309dba61ffbeb74bacf4f54c969.exe MSBuild.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1824 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

MSBuild.exe

pid process

1452 MSBuild.exe
1452 MSBuild.exe
1452 MSBuild.exe
1452 MSBuild.exe
1452 MSBuild.exe
1452 MSBuild.exe
1452 MSBuild.exe
1452 MSBuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c46ec309dba61ffbeb74bacf4f54c969.exe

pid process

2604 c46ec309dba61ffbeb74bacf4f54c969.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1452 MSBuild.exe

flow	ioc
8	checkip.dyndns.org
13	freegeoip.app
14	freegeoip.app

description	pid	process	target process
PID 2604 set thread context of 1452	2604	c46ec309dba61ffbeb74bacf4f54c969.exe	MSBuild.exe

pid	process
1824	schtasks.exe

pid	process
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe
1452	MSBuild.exe

pid	process
2604	c46ec309dba61ffbeb74bacf4f54c969.exe

description	pid	process
Token: SeDebugPrivilege	1452	MSBuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

c46ec309dba61ffbeb74bacf4f54c969.execmd.exe

description	pid	process	target process
PID 2604 wrote to memory of 1292	2604	c46ec309dba61ffbeb74bacf4f54c969.exe	cmd.exe
PID 2604 wrote to memory of 1292	2604	c46ec309dba61ffbeb74bacf4f54c969.exe	cmd.exe
PID 2604 wrote to memory of 1292	2604	c46ec309dba61ffbeb74bacf4f54c969.exe	cmd.exe
PID 2604 wrote to memory of 1452	2604	c46ec309dba61ffbeb74bacf4f54c969.exe	MSBuild.exe
PID 2604 wrote to memory of 1452	2604	c46ec309dba61ffbeb74bacf4f54c969.exe	MSBuild.exe
PID 2604 wrote to memory of 1452	2604	c46ec309dba61ffbeb74bacf4f54c969.exe	MSBuild.exe
PID 2604 wrote to memory of 1452	2604	c46ec309dba61ffbeb74bacf4f54c969.exe	MSBuild.exe
PID 1292 wrote to memory of 1824	1292	cmd.exe	schtasks.exe
PID 1292 wrote to memory of 1824	1292	cmd.exe	schtasks.exe
PID 1292 wrote to memory of 1824	1292	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c46ec309dba61ffbeb74bacf4f54c969.exe
"C:\Users\Admin\AppData\Local\Temp\c46ec309dba61ffbeb74bacf4f54c969.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\64a93f59b5894fd5b0d60f9f52db3822.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\64a93f59b5894fd5b0d60f9f52db3822.xml"
3⤵
- Creates scheduled task(s)
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\c46ec309dba61ffbeb74bacf4f54c969.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64a93f59b5894fd5b0d60f9f52db3822.xml
MD5
a36564afc14b3eb0849c01a3afdb9944

SHA1
4dcee9fae3fde4e46b08529bc0ba067150686f07

SHA256
9d4342f763c5d62a06f69aa6fdcb1caa376ff2f2c0972f36b487f73b4d221996

SHA512
782082aa36ae056734e90fc079c813dfef59420571a1b70cde4cf15eb6c870f85b2bfe0748ef4db9df3d010c08671bff744d78178ba75bf2ba02b665f044ae89

Download Submit
memory/1292-2-0x0000000000000000-mapping.dmp

Download
memory/1452-3-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1452-4-0x000000000046555E-mapping.dmp

Download
memory/1452-7-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/1452-11-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/1452-12-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/1452-13-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/1452-14-0x0000000006730000-0x0000000006731000-memory.dmp

Filesize
4KB

Download
memory/1452-15-0x00000000064A0000-0x00000000064A1000-memory.dmp

Filesize
4KB

Download
memory/1824-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads