snakekeylogger | 745b655e27656f2b312cfbb28cbe718ea494c503cd96fa63ee65a9a3caa8f939

General

Target

RFQ_FOR_PO.exe
Size

1.7MB
MD5

3696d772035228acb5692f4ff6ad9fd7
SHA1

2a2a4e13d861dcf3b31b089ae9b99281dd3d6ef7
SHA256

745b655e27656f2b312cfbb28cbe718ea494c503cd96fa63ee65a9a3caa8f939
SHA512

802ba65ea3223aa68d17f86023e669a00884fec71f8631b3ed925a2a82967d8cb13b9dfefc13237af50949a22a0c9a0adb4980499aeb4d4418fe2b7454f43101

Score

10^/10

snakekeylogger keylogger spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3044-15-0x0000000000400000-0x0000000000466000-memory.dmp	family_snakekeylogger
behavioral2/memory/3044-16-0x0000000000461EEE-mapping.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 checkip.dyndns.org
18 freegeoip.app
19 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ_FOR_PO.exe

description pid process target process

PID 812 set thread context of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1976 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RFQ_FOR_PO.exe

pid process

3044 RFQ_FOR_PO.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RFQ_FOR_PO.exe

description pid process

Token: SeDebugPrivilege 3044 RFQ_FOR_PO.exe

flow	ioc
15	checkip.dyndns.org
18	freegeoip.app
19	freegeoip.app

description	pid	process	target process
PID 812 set thread context of 3044	812	RFQ_FOR_PO.exe	RFQ_FOR_PO.exe

pid	process
1976	schtasks.exe

pid	process
3044	RFQ_FOR_PO.exe

description	pid	process
Token: SeDebugPrivilege	3044	RFQ_FOR_PO.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

RFQ_FOR_PO.exe

description	pid	process	target process
PID 812 wrote to memory of 1976	812	RFQ_FOR_PO.exe	schtasks.exe
PID 812 wrote to memory of 1976	812	RFQ_FOR_PO.exe	schtasks.exe
PID 812 wrote to memory of 1976	812	RFQ_FOR_PO.exe	schtasks.exe
PID 812 wrote to memory of 3044	812	RFQ_FOR_PO.exe	RFQ_FOR_PO.exe
PID 812 wrote to memory of 3044	812	RFQ_FOR_PO.exe	RFQ_FOR_PO.exe
PID 812 wrote to memory of 3044	812	RFQ_FOR_PO.exe	RFQ_FOR_PO.exe
PID 812 wrote to memory of 3044	812	RFQ_FOR_PO.exe	RFQ_FOR_PO.exe
PID 812 wrote to memory of 3044	812	RFQ_FOR_PO.exe	RFQ_FOR_PO.exe
PID 812 wrote to memory of 3044	812	RFQ_FOR_PO.exe	RFQ_FOR_PO.exe
PID 812 wrote to memory of 3044	812	RFQ_FOR_PO.exe	RFQ_FOR_PO.exe
PID 812 wrote to memory of 3044	812	RFQ_FOR_PO.exe	RFQ_FOR_PO.exe

C:\Users\Admin\AppData\Local\Temp\RFQ_FOR_PO.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_FOR_PO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EIIphOzWsDnVnb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D89.tmp"
2⤵
- Creates scheduled task(s)
PID:1976

C:\Users\Admin\AppData\Local\Temp\RFQ_FOR_PO.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_FOR_PO.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_FOR_PO.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D89.tmp
MD5
b9953cfcf8c1c3bb750d230b663b51cc

SHA1
49e4a1f2dac99bf56e94c7133dbee5935669ba9e

SHA256
4f2e1b86c0012aad3e96880dcecd4cda0acfbab5332b01bce648f11f4a038b7f

SHA512
72ea6ebac0c04e6adf3af17e880e7400664591051a069241d17e505685d44a846c0f1263634123b626dbedd6aa7f68fa2a55c6d2654e991fc563b1b04bf07c81

Download Submit
memory/812-11-0x0000000007270000-0x0000000007293000-memory.dmp

Filesize
140KB

Download
memory/812-12-0x0000000007FF0000-0x0000000008089000-memory.dmp

Filesize
612KB

Download
memory/812-7-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/812-8-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/812-9-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/812-10-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/812-2-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/812-6-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/812-3-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/812-5-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/1976-13-0x0000000000000000-mapping.dmp

Download
memory/3044-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3044-16-0x0000000000461EEE-mapping.dmp

Download
memory/3044-18-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/3044-23-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/3044-24-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads