snakekeylogger | 3bea531a02c14fe09f631ee0f957d12bbf07085c666ee0c5f05de926e88d40c8

General

Target

INV0009876.exe
Size

666KB
MD5

2f7ea13f989e231b54104840f0ca91ce
SHA1

69e1a342cfaed1eaf5e3daa0427a3715be32c967
SHA256

3bea531a02c14fe09f631ee0f957d12bbf07085c666ee0c5f05de926e88d40c8
SHA512

8abee6f0b36140e1404279d8a3e71c8bce5e2168cdc2f128349e439e95860d5ccaf1905bc585d6a0fd51d050a56ebfb6819f9836ac6422281ed5dab6cd410fd3

Score

10^/10

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2664-12-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral2/memory/2664-13-0x000000000046412E-mapping.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 checkip.dyndns.org
14 freegeoip.app
15 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

INV0009876.exe

description pid process target process

PID 496 set thread context of 2664 496 INV0009876.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3100 496 WerFault.exe INV0009876.exe

description	pid	process	target process
PID 496 set thread context of 2664	496	INV0009876.exe	RegAsm.exe

pid	pid_target	process	target process
3100	496	WerFault.exe	INV0009876.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

RegAsm.exeWerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.exeWerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

INV0009876.exe

description	pid	process	target process
PID 496 wrote to memory of 2664	496	INV0009876.exe	RegAsm.exe
PID 496 wrote to memory of 2664	496	INV0009876.exe	RegAsm.exe
PID 496 wrote to memory of 2664	496	INV0009876.exe	RegAsm.exe
PID 496 wrote to memory of 2664	496	INV0009876.exe	RegAsm.exe
PID 496 wrote to memory of 2664	496	INV0009876.exe	RegAsm.exe
PID 496 wrote to memory of 2664	496	INV0009876.exe	RegAsm.exe
PID 496 wrote to memory of 2664	496	INV0009876.exe	RegAsm.exe
PID 496 wrote to memory of 2664	496	INV0009876.exe	RegAsm.exe

memory/496-11-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/496-9-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/496-5-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/496-6-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/496-2-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/496-8-0x0000000005F20000-0x0000000005F21000-memory.dmp

Filesize
4KB

Download
memory/496-3-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/496-10-0x00000000055A0000-0x00000000055AF000-memory.dmp

Filesize
60KB

Download
memory/496-7-0x0000000005660000-0x00000000056F1000-memory.dmp

Filesize
580KB

Download
memory/496-19-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/2664-13-0x000000000046412E-mapping.dmp

Download
memory/2664-14-0x0000000073360000-0x0000000073A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-12-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2664-20-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/2664-22-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/3100-21-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download