snakekeylogger | d86b3acfe2d1e7d16c024f51e56bcba13b05390cea05f6b31e146d172bb2b082

General

Target

INV_098789.exe
Size

474KB
MD5

add006df937fd85501cc5722e9e23dc8
SHA1

49064657d66f66292daf07564f471c23b33bf3e7
SHA256

d86b3acfe2d1e7d16c024f51e56bcba13b05390cea05f6b31e146d172bb2b082
SHA512

130a06a4475840aa7ddebbf6129f62079d44e95714f41d0e5e2335053737ce943c8b710b179f551a99e4fc0189c0bdc2e0c29a0aa6662ca6777751e2f17f91f0

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/736-12-0x0000000000400000-0x000000000046A000-memory.dmp	family_snakekeylogger
behavioral2/memory/736-13-0x000000000046412E-mapping.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 freegeoip.app
11 checkip.dyndns.org
14 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

INV_098789.exe

description pid process target process

PID 3116 set thread context of 736 3116 INV_098789.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3488 3116 WerFault.exe INV_098789.exe

flow	ioc
15	freegeoip.app
11	checkip.dyndns.org
14	freegeoip.app

description	pid	process	target process
PID 3116 set thread context of 736	3116	INV_098789.exe	RegAsm.exe

pid	pid_target	process	target process
3488	3116	WerFault.exe	INV_098789.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

RegAsm.exeWerFault.exe

pid	process
736	RegAsm.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe
3488	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RegAsm.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	736	RegAsm.exe
Token: SeRestorePrivilege	3488	WerFault.exe
Token: SeBackupPrivilege	3488	WerFault.exe
Token: SeDebugPrivilege	3488	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

INV_098789.exe

description	pid	process	target process
PID 3116 wrote to memory of 736	3116	INV_098789.exe	RegAsm.exe
PID 3116 wrote to memory of 736	3116	INV_098789.exe	RegAsm.exe
PID 3116 wrote to memory of 736	3116	INV_098789.exe	RegAsm.exe
PID 3116 wrote to memory of 736	3116	INV_098789.exe	RegAsm.exe
PID 3116 wrote to memory of 736	3116	INV_098789.exe	RegAsm.exe
PID 3116 wrote to memory of 736	3116	INV_098789.exe	RegAsm.exe
PID 3116 wrote to memory of 736	3116	INV_098789.exe	RegAsm.exe
PID 3116 wrote to memory of 736	3116	INV_098789.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\INV_098789.exe
"C:\Users\Admin\AppData\Local\Temp\INV_098789.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1576
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-12-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/736-24-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/736-21-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/736-19-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/736-14-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download
memory/736-13-0x000000000046412E-mapping.dmp

Download
memory/3116-8-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/3116-20-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/3116-11-0x0000000005610000-0x000000000561F000-memory.dmp

Filesize
60KB

Download
memory/3116-9-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/3116-2-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download
memory/3116-7-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/3116-6-0x0000000005580000-0x00000000055F5000-memory.dmp

Filesize
468KB

Download
memory/3116-10-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/3116-5-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/3116-23-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/3116-3-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3116-25-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/3116-26-0x0000000006370000-0x0000000006371000-memory.dmp

Filesize
4KB

Download
memory/3488-27-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads