snakekeylogger | cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd

General

Target

C103-202005514-05,PDF.exe
Size

584KB
MD5

eedd3f21579280588e987a0431315356
SHA1

e4232454d3c2e86fedba56dbb0f83363dbfe96bf
SHA256

cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd
SHA512

f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64

Score

10^/10

snakekeylogger keylogger ransomware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
smt.treat@yandex.com
Password:
WyhjVTBX5hjrgu7

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1636-16-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral1/memory/1636-17-0x000000000046463E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1636-20-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe

Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

968 WerFault.exe
968 WerFault.exe
968 WerFault.exe
968 WerFault.exe
968 WerFault.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 checkip.dyndns.org
16 freegeoip.app
17 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

C103-202005514-05,PDF.exe

description pid process target process

PID 2008 set thread context of 1636 2008 C103-202005514-05,PDF.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

968 2008 WerFault.exe C103-202005514-05,PDF.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Powershell.exeRegAsm.exeWerFault.exe

pid process

816 Powershell.exe
1636 RegAsm.exe
816 Powershell.exe
968 WerFault.exe
968 WerFault.exe
968 WerFault.exe
968 WerFault.exe
968 WerFault.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Powershell.exeRegAsm.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 816 Powershell.exe
Token: SeDebugPrivilege 1636 RegAsm.exe
Token: SeDebugPrivilege 968 WerFault.exe

pid	process
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe

flow	ioc
5	checkip.dyndns.org
16	freegeoip.app
17	freegeoip.app

description	pid	process	target process
PID 2008 set thread context of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe

pid	pid_target	process	target process
968	2008	WerFault.exe	C103-202005514-05,PDF.exe

pid	process
816	Powershell.exe
1636	RegAsm.exe
816	Powershell.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	816	Powershell.exe
Token: SeDebugPrivilege	1636	RegAsm.exe
Token: SeDebugPrivilege	968	WerFault.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

C103-202005514-05,PDF.exe

description	pid	process	target process
PID 2008 wrote to memory of 816	2008	C103-202005514-05,PDF.exe	Powershell.exe
PID 2008 wrote to memory of 816	2008	C103-202005514-05,PDF.exe	Powershell.exe
PID 2008 wrote to memory of 816	2008	C103-202005514-05,PDF.exe	Powershell.exe
PID 2008 wrote to memory of 816	2008	C103-202005514-05,PDF.exe	Powershell.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 1636	2008	C103-202005514-05,PDF.exe	RegAsm.exe
PID 2008 wrote to memory of 968	2008	C103-202005514-05,PDF.exe	WerFault.exe
PID 2008 wrote to memory of 968	2008	C103-202005514-05,PDF.exe	WerFault.exe
PID 2008 wrote to memory of 968	2008	C103-202005514-05,PDF.exe	WerFault.exe
PID 2008 wrote to memory of 968	2008	C103-202005514-05,PDF.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe
"C:\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 1036
2⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe
MD5
eedd3f21579280588e987a0431315356

SHA1
e4232454d3c2e86fedba56dbb0f83363dbfe96bf

SHA256
cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd

SHA512
f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64

Download Submit
\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe
MD5
eedd3f21579280588e987a0431315356

SHA1
e4232454d3c2e86fedba56dbb0f83363dbfe96bf

SHA256
cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd

SHA512
f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64

Download Submit
\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe
MD5
eedd3f21579280588e987a0431315356

SHA1
e4232454d3c2e86fedba56dbb0f83363dbfe96bf

SHA256
cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd

SHA512
f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64

Download Submit
\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe
MD5
eedd3f21579280588e987a0431315356

SHA1
e4232454d3c2e86fedba56dbb0f83363dbfe96bf

SHA256
cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd

SHA512
f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64

Download Submit
\Users\Admin\AppData\Local\Temp\C103-202005514-05,PDF.exe
MD5
eedd3f21579280588e987a0431315356

SHA1
e4232454d3c2e86fedba56dbb0f83363dbfe96bf

SHA256
cdc918638a38eb856105db8b22281142b5cc58f6538ad4e848e45d552332b5fd

SHA512
f1934302099a9d9e45e9aeba3f7fea64fb15021888580bfbe2e21e3a7183e2e01919f2f36163a328480e6d89607baf8ac8ba7180f0975cb103c1e37850d79c64

Download Submit
memory/816-41-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/816-23-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/816-10-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/816-11-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/816-12-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/816-13-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/816-7-0x0000000000000000-mapping.dmp

Download
memory/816-15-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/816-8-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/816-40-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/816-33-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/816-32-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/816-26-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/816-9-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/968-42-0x0000000000000000-mapping.dmp

Download
memory/968-49-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/968-43-0x0000000002110000-0x0000000002121000-memory.dmp

Filesize
68KB

Download
memory/1636-19-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/1636-17-0x000000000046463E-mapping.dmp

Download
memory/1636-22-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/1636-20-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1636-16-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2008-2-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-14-0x0000000000320000-0x000000000032F000-memory.dmp

Filesize
60KB

Download
memory/2008-6-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/2008-5-0x0000000001180000-0x00000000011F6000-memory.dmp

Filesize
472KB

Download
memory/2008-3-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/2008-28-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads