snakekeylogger | 2fabd4762d0f346547c11817e614da7462b64344ba29eef8bd58472bf524902c

General

Target

STATEMENT OF ACCOUNT-.pdf.exe
Size

958KB
MD5

36af1327aa572a073ee6a1cee0cb1255
SHA1

e9a967394c2b2a51ebfd2f4285173377ea989694
SHA256

2fabd4762d0f346547c11817e614da7462b64344ba29eef8bd58472bf524902c
SHA512

55ad4501e4491147e776c40f1c436c4705ca8b0a3912ab218f6a5f2c842733961913e992e2af3a51b018325bd95dbb639442f1eac7d81b1313508c0ba4c0679a

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2904-24-0x00000000004643AE-mapping.dmp	family_snakekeylogger
behavioral2/memory/2904-22-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 freegeoip.app
16 freegeoip.app
7 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

STATEMENT OF ACCOUNT-.pdf.exe

description pid process target process

PID 1176 set thread context of 2904 1176 STATEMENT OF ACCOUNT-.pdf.exe InstallUtil.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

976 1176 WerFault.exe STATEMENT OF ACCOUNT-.pdf.exe

flow	ioc
15	freegeoip.app
16	freegeoip.app
7	checkip.dyndns.org

description	pid	process	target process
PID 1176 set thread context of 2904	1176	STATEMENT OF ACCOUNT-.pdf.exe	InstallUtil.exe

pid	pid_target	process	target process
976	1176	WerFault.exe	STATEMENT OF ACCOUNT-.pdf.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

Powershell.exeInstallUtil.exeWerFault.exe

pid	process
3640	Powershell.exe
3640	Powershell.exe
2904	InstallUtil.exe
3640	Powershell.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe
976	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Powershell.exeInstallUtil.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3640	Powershell.exe
Token: SeDebugPrivilege	2904	InstallUtil.exe
Token: SeRestorePrivilege	976	WerFault.exe
Token: SeBackupPrivilege	976	WerFault.exe
Token: SeDebugPrivilege	976	WerFault.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

STATEMENT OF ACCOUNT-.pdf.exe

description	pid	process	target process
PID 1176 wrote to memory of 3640	1176	STATEMENT OF ACCOUNT-.pdf.exe	Powershell.exe
PID 1176 wrote to memory of 3640	1176	STATEMENT OF ACCOUNT-.pdf.exe	Powershell.exe
PID 1176 wrote to memory of 3640	1176	STATEMENT OF ACCOUNT-.pdf.exe	Powershell.exe
PID 1176 wrote to memory of 2904	1176	STATEMENT OF ACCOUNT-.pdf.exe	InstallUtil.exe
PID 1176 wrote to memory of 2904	1176	STATEMENT OF ACCOUNT-.pdf.exe	InstallUtil.exe
PID 1176 wrote to memory of 2904	1176	STATEMENT OF ACCOUNT-.pdf.exe	InstallUtil.exe
PID 1176 wrote to memory of 2904	1176	STATEMENT OF ACCOUNT-.pdf.exe	InstallUtil.exe
PID 1176 wrote to memory of 2904	1176	STATEMENT OF ACCOUNT-.pdf.exe	InstallUtil.exe
PID 1176 wrote to memory of 2904	1176	STATEMENT OF ACCOUNT-.pdf.exe	InstallUtil.exe
PID 1176 wrote to memory of 2904	1176	STATEMENT OF ACCOUNT-.pdf.exe	InstallUtil.exe
PID 1176 wrote to memory of 2904	1176	STATEMENT OF ACCOUNT-.pdf.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT-.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT-.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT-.pdf.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1184
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-34-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/1176-7-0x0000000004F70000-0x0000000005001000-memory.dmp

Filesize
580KB

Download
memory/1176-18-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/1176-6-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1176-2-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/1176-8-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/1176-9-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1176-5-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1176-3-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1176-21-0x0000000004DF0000-0x0000000004DFF000-memory.dmp

Filesize
60KB

Download
memory/1176-27-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2904-33-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/2904-22-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2904-24-0x00000000004643AE-mapping.dmp

Download
memory/2904-26-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-40-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/3640-20-0x00000000070C2000-0x00000000070C3000-memory.dmp

Filesize
4KB

Download
memory/3640-19-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/3640-23-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/3640-16-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/3640-25-0x00000000088F0000-0x00000000088F1000-memory.dmp

Filesize
4KB

Download
memory/3640-15-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3640-14-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/3640-13-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/3640-32-0x0000000008940000-0x0000000008941000-memory.dmp

Filesize
4KB

Download
memory/3640-12-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/3640-11-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/3640-35-0x00000000096B0000-0x00000000096B1000-memory.dmp

Filesize
4KB

Download
memory/3640-36-0x0000000009540000-0x0000000009541000-memory.dmp

Filesize
4KB

Download
memory/3640-37-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/3640-39-0x00000000070C3000-0x00000000070C4000-memory.dmp

Filesize
4KB

Download
memory/3640-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads