snakekeylogger | 218fa15ef4b6910a7dd996ed0b54df8dfae8f174013b4214971c91787654f7a4

General

Target

Scan document.exe
Size

667KB
MD5

3ae1b28cf2f2909ed5c5451653017a0a
SHA1

726aaf44fb0761703f5044c858fe03644edc0063
SHA256

218fa15ef4b6910a7dd996ed0b54df8dfae8f174013b4214971c91787654f7a4
SHA512

3b133df737f66cfc8b54fd392a6b5a72a139e4f7d691ddd0674cecda5dd1cfaa2b583a1188bfad536318985ecb1f89d02fc778720b4ff19ba4b8cbfe8f4dfa0c

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
internationallove147

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/836-21-0x000000000046474E-mapping.dmp	family_snakekeylogger
behavioral2/memory/836-20-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 checkip.dyndns.org
13 freegeoip.app
14 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

Scan document.exe

description pid process target process

PID 4756 set thread context of 836 4756 Scan document.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Scan document.exeRegAsm.exe

pid process

4756 Scan document.exe
4756 Scan document.exe
836 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Scan document.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 4756 Scan document.exe
Token: SeDebugPrivilege 836 RegAsm.exe

flow	ioc
10	checkip.dyndns.org
13	freegeoip.app
14	freegeoip.app

description	pid	process	target process
PID 4756 set thread context of 836	4756	Scan document.exe	RegAsm.exe

pid	process
4756	Scan document.exe
4756	Scan document.exe
836	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4756	Scan document.exe
Token: SeDebugPrivilege	836	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Scan document.exe

description	pid	process	target process
PID 4756 wrote to memory of 3300	4756	Scan document.exe	SecEdit.exe
PID 4756 wrote to memory of 3300	4756	Scan document.exe	SecEdit.exe
PID 4756 wrote to memory of 3300	4756	Scan document.exe	SecEdit.exe
PID 4756 wrote to memory of 4224	4756	Scan document.exe	SecEdit.exe
PID 4756 wrote to memory of 4224	4756	Scan document.exe	SecEdit.exe
PID 4756 wrote to memory of 4224	4756	Scan document.exe	SecEdit.exe
PID 4756 wrote to memory of 2084	4756	Scan document.exe	SecEdit.exe
PID 4756 wrote to memory of 2084	4756	Scan document.exe	SecEdit.exe
PID 4756 wrote to memory of 2084	4756	Scan document.exe	SecEdit.exe
PID 4756 wrote to memory of 844	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 844	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 844	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 836	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 836	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 836	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 836	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 836	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 836	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 836	4756	Scan document.exe	RegAsm.exe
PID 4756 wrote to memory of 836	4756	Scan document.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Scan document.exe
"C:\Users\Admin\AppData\Local\Temp\Scan document.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
2⤵
PID:3300

C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
2⤵
PID:4224

C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe" /export /cfg C:\Users\Admin\AppData\Local\Temp\UserRights.cfg /areas User_Rights /log C:\Users\Admin\AppData\Local\Temp\UserRights.log
2⤵
PID:2084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UserRights.cfg
MD5
456fce3c9c70a5522b9ccb8e7805fafd

SHA1
5988836ad195d430687177e74544596b0bcc0324

SHA256
94e0a2f7c5813e0ffc3522c5cda4da66e218050c3a2f471a361d898722d7d991

SHA512
b0ae155778bb726ef2f07256a09fc3c062e086d4cae13346f02141642fce0c49a3a239e813f4e69133e06ce3ba564056b3b903fce211dedbe2cf62ade1dfd6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UserRights.cfg
MD5
49690b04039df7c36d6c0672e1fb32cd

SHA1
8f9c6ff079e52b4fb87e7475fcea2631fee28edf

SHA256
4b3dcc7dd63590a61b0b9a0075e08b004d609db0158927401ee6e72242d6e873

SHA512
3ee00bf6e43cfcdd2003e74bb83d4988b2b0ef22efa9869ec0a7bd3f93c0bcff549289e99619f026a6fea64be7c974331443bea10448c90b0d9d20781f445717

Download Submit
C:\Users\Admin\AppData\Local\Temp\UserRights.log
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\UserRights.log
MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/836-27-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/836-22-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/836-20-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/836-21-0x000000000046474E-mapping.dmp

Download
memory/2084-12-0x0000000000000000-mapping.dmp

Download
memory/3300-9-0x0000000000000000-mapping.dmp

Download
memory/4224-10-0x0000000000000000-mapping.dmp

Download
memory/4756-8-0x0000000008FA0000-0x0000000008FA1000-memory.dmp

Filesize
4KB

Download
memory/4756-2-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4756-16-0x0000000009B00000-0x0000000009B91000-memory.dmp

Filesize
580KB

Download
memory/4756-17-0x0000000009BA0000-0x0000000009BA1000-memory.dmp

Filesize
4KB

Download
memory/4756-18-0x0000000009FE0000-0x0000000009FE1000-memory.dmp

Filesize
4KB

Download
memory/4756-19-0x0000000009F40000-0x0000000009F4F000-memory.dmp

Filesize
60KB

Download
memory/4756-7-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/4756-6-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/4756-5-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/4756-3-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads