snakekeylogger | 37ba2407fcedfb820ba97763e2fb4799604a7085a60d48f69de9583fe87eb9f3

General

Target

SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe
Size

1.2MB
MD5

263f0b35e5768e624a84ac122bbf6a8c
SHA1

53b6283cf3fe925f008ff5e75bb9f59ec115e0db
SHA256

37ba2407fcedfb820ba97763e2fb4799604a7085a60d48f69de9583fe87eb9f3
SHA512

3cc99c5e89bc9443fb78e7ffd09efd5bd846fde48cbbbaf2ef4ff41f39a393b3e5660f74117113f9dee9540a1c5f4ba07e54d17790eda1375c13af3ddcfe4fa1

Score

10^/10

snakekeylogger keylogger ransomware spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/976-25-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger
behavioral1/memory/976-26-0x000000000046370E-mapping.dmp	family_snakekeylogger
behavioral1/memory/976-29-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

Processes:

omsu.exeInstallUtil.exe

pid process

924 omsu.exe
976 InstallUtil.exe

pid	process
924	omsu.exe
976	InstallUtil.exe

Drops startup file 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\omsu.lnk	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe

Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exeomsu.exe

pid process

1636 SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe
924 omsu.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 freegeoip.app
10 checkip.dyndns.org
15 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

omsu.exe

description pid process target process

PID 924 set thread context of 976 924 omsu.exe InstallUtil.exe

flow	ioc
16	freegeoip.app
10	checkip.dyndns.org
15	freegeoip.app

description	pid	process	target process
PID 924 set thread context of 976	924	omsu.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exeomsu.exeInstallUtil.exe

pid	process
1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe
1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe
1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe
1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe
1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe
924	omsu.exe
924	omsu.exe
976	InstallUtil.exe
976	InstallUtil.exe
976	InstallUtil.exe
976	InstallUtil.exe
976	InstallUtil.exe
976	InstallUtil.exe
976	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exeomsu.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe
Token: SeDebugPrivilege	924	omsu.exe
Token: SeDebugPrivilege	976	InstallUtil.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exeomsu.exe

description	pid	process	target process
PID 1636 wrote to memory of 924	1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe	omsu.exe
PID 1636 wrote to memory of 924	1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe	omsu.exe
PID 1636 wrote to memory of 924	1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe	omsu.exe
PID 1636 wrote to memory of 924	1636	SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe	omsu.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe
PID 924 wrote to memory of 976	924	omsu.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.42783.9831.18705.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\omsu.exe
"C:\Users\Admin\omsu.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\omsu.exe

MD5
263f0b35e5768e624a84ac122bbf6a8c

SHA1
53b6283cf3fe925f008ff5e75bb9f59ec115e0db

SHA256
37ba2407fcedfb820ba97763e2fb4799604a7085a60d48f69de9583fe87eb9f3

SHA512
3cc99c5e89bc9443fb78e7ffd09efd5bd846fde48cbbbaf2ef4ff41f39a393b3e5660f74117113f9dee9540a1c5f4ba07e54d17790eda1375c13af3ddcfe4fa1

Download Submit
C:\Users\Admin\omsu.exe

MD5
263f0b35e5768e624a84ac122bbf6a8c

SHA1
53b6283cf3fe925f008ff5e75bb9f59ec115e0db

SHA256
37ba2407fcedfb820ba97763e2fb4799604a7085a60d48f69de9583fe87eb9f3

SHA512
3cc99c5e89bc9443fb78e7ffd09efd5bd846fde48cbbbaf2ef4ff41f39a393b3e5660f74117113f9dee9540a1c5f4ba07e54d17790eda1375c13af3ddcfe4fa1

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\omsu.exe

MD5
263f0b35e5768e624a84ac122bbf6a8c

SHA1
53b6283cf3fe925f008ff5e75bb9f59ec115e0db

SHA256
37ba2407fcedfb820ba97763e2fb4799604a7085a60d48f69de9583fe87eb9f3

SHA512
3cc99c5e89bc9443fb78e7ffd09efd5bd846fde48cbbbaf2ef4ff41f39a393b3e5660f74117113f9dee9540a1c5f4ba07e54d17790eda1375c13af3ddcfe4fa1

Download Submit
memory/924-14-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/924-15-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/924-17-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/924-21-0x0000000000940000-0x000000000094B000-memory.dmp

Filesize
44KB

Download
memory/924-22-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/924-11-0x0000000000000000-mapping.dmp

Download
memory/976-25-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/976-31-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/976-29-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/976-28-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/976-26-0x000000000046370E-mapping.dmp

Download
memory/1636-7-0x0000000000B70000-0x0000000000B8E000-memory.dmp

Filesize
120KB

Download
memory/1636-5-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/1636-3-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1636-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-8-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1636-9-0x0000000004F61000-0x0000000004F62000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads