snakekeylogger | ed8596ea2c9c957127281b2a4380c20f6ef825a4f6f0814094975c66bc5ebec1

General

Target

Zz92XfcijKVXcny.exe
Size

1.4MB
MD5

bfcd8470a0944381db7660977261f9db
SHA1

44c413af5e0479fabb0486151cc6d2bdff33de6a
SHA256

ed8596ea2c9c957127281b2a4380c20f6ef825a4f6f0814094975c66bc5ebec1
SHA512

e336045d1a8247385d073205fdce676cdac5593af2b6003c8a7b828bf2e2a3eda61da439574721d55cd63b942982278af3c05e78f0d1cd7df388f9134497d45d

Score

10^/10

snakekeylogger keylogger spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2344-15-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral2/memory/2344-16-0x000000000046573E-mapping.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 checkip.dyndns.org
19 freegeoip.app
20 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

Zz92XfcijKVXcny.exe

description pid process target process

PID 3108 set thread context of 2344 3108 Zz92XfcijKVXcny.exe Zz92XfcijKVXcny.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4000 schtasks.exe

flow	ioc
16	checkip.dyndns.org
19	freegeoip.app
20	freegeoip.app

description	pid	process	target process
PID 3108 set thread context of 2344	3108	Zz92XfcijKVXcny.exe	Zz92XfcijKVXcny.exe

pid	process
4000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Zz92XfcijKVXcny.exeZz92XfcijKVXcny.exe

pid	process
3108	Zz92XfcijKVXcny.exe
3108	Zz92XfcijKVXcny.exe
3108	Zz92XfcijKVXcny.exe
2344	Zz92XfcijKVXcny.exe
2344	Zz92XfcijKVXcny.exe
2344	Zz92XfcijKVXcny.exe
2344	Zz92XfcijKVXcny.exe
2344	Zz92XfcijKVXcny.exe
2344	Zz92XfcijKVXcny.exe
2344	Zz92XfcijKVXcny.exe
2344	Zz92XfcijKVXcny.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Zz92XfcijKVXcny.exeZz92XfcijKVXcny.exe

description pid process

Token: SeDebugPrivilege 3108 Zz92XfcijKVXcny.exe
Token: SeDebugPrivilege 2344 Zz92XfcijKVXcny.exe

description	pid	process
Token: SeDebugPrivilege	3108	Zz92XfcijKVXcny.exe
Token: SeDebugPrivilege	2344	Zz92XfcijKVXcny.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Zz92XfcijKVXcny.exe

description	pid	process	target process
PID 3108 wrote to memory of 4000	3108	Zz92XfcijKVXcny.exe	schtasks.exe
PID 3108 wrote to memory of 4000	3108	Zz92XfcijKVXcny.exe	schtasks.exe
PID 3108 wrote to memory of 4000	3108	Zz92XfcijKVXcny.exe	schtasks.exe
PID 3108 wrote to memory of 2344	3108	Zz92XfcijKVXcny.exe	Zz92XfcijKVXcny.exe
PID 3108 wrote to memory of 2344	3108	Zz92XfcijKVXcny.exe	Zz92XfcijKVXcny.exe
PID 3108 wrote to memory of 2344	3108	Zz92XfcijKVXcny.exe	Zz92XfcijKVXcny.exe
PID 3108 wrote to memory of 2344	3108	Zz92XfcijKVXcny.exe	Zz92XfcijKVXcny.exe
PID 3108 wrote to memory of 2344	3108	Zz92XfcijKVXcny.exe	Zz92XfcijKVXcny.exe
PID 3108 wrote to memory of 2344	3108	Zz92XfcijKVXcny.exe	Zz92XfcijKVXcny.exe
PID 3108 wrote to memory of 2344	3108	Zz92XfcijKVXcny.exe	Zz92XfcijKVXcny.exe
PID 3108 wrote to memory of 2344	3108	Zz92XfcijKVXcny.exe	Zz92XfcijKVXcny.exe

C:\Users\Admin\AppData\Local\Temp\Zz92XfcijKVXcny.exe
"C:\Users\Admin\AppData\Local\Temp\Zz92XfcijKVXcny.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xHfHWx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE16D.tmp"
2⤵
- Creates scheduled task(s)
PID:4000

C:\Users\Admin\AppData\Local\Temp\Zz92XfcijKVXcny.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zz92XfcijKVXcny.exe.log
MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE16D.tmp
MD5
604a681dc3f2fbce3c5c53922d8c0a37

SHA1
21b6632107049deaf059ad4018bedc54c78ac802

SHA256
d7f8292013c2920107f68bc7f50f4ad7db9bcac8898819de14b23316e0ea93c0

SHA512
49a838a7247b8e90d4a5f5b60e0f39a2866f2b534312a3c2b3c0529ae033df79160ad97735ce348e2e97b8c9884621508927f8dd7cc8ccecb4997bb1282b4c53

Download Submit
memory/2344-24-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/2344-23-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/2344-18-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/2344-16-0x000000000046573E-mapping.dmp

Download
memory/2344-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3108-7-0x000000000A660000-0x000000000A661000-memory.dmp

Filesize
4KB

Download
memory/3108-11-0x0000000004F40000-0x0000000004FD3000-memory.dmp

Filesize
588KB

Download
memory/3108-12-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3108-10-0x000000000A950000-0x000000000A95E000-memory.dmp

Filesize
56KB

Download
memory/3108-9-0x000000000A610000-0x000000000A611000-memory.dmp

Filesize
4KB

Download
memory/3108-8-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3108-2-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/3108-6-0x000000000A9C0000-0x000000000A9C1000-memory.dmp

Filesize
4KB

Download
memory/3108-5-0x0000000004D40000-0x0000000004DC1000-memory.dmp

Filesize
516KB

Download
memory/3108-3-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/4000-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads