snakekeylogger | a8aad152f516add6a277e2634baa324b105a90c3b02935aa2fa11ea4f0c4667e

General

Target

POL 495.exe
Size

575KB
MD5

3e8d7d953385247857ff9800b08c71fa
SHA1

4d40b4b61bfda3f6c2d560f69259ec27d5f3b06a
SHA256

a8aad152f516add6a277e2634baa324b105a90c3b02935aa2fa11ea4f0c4667e
SHA512

0e7f75494177f706299ce5d947a26557e8c1320bed6c003b1daf87da5bb676bcdea3fb26ed57d9765054574caf91c279b0d0b7456a1cdce93613b3f08a39c620

Score

10^/10

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-9-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger
behavioral1/memory/2008-10-0x0000000000463D7E-mapping.dmp	family_snakekeylogger
behavioral1/memory/2008-13-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1752-5-0x00000000009B0000-0x0000000000A3E000-memory.dmp	beds_protector

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 checkip.dyndns.org
10 freegeoip.app
11 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

POL 495.exe

description pid process target process

PID 1752 set thread context of 2008 1752 POL 495.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

POL 495.exeRegAsm.exe

pid process

1752 POL 495.exe
2008 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

POL 495.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1752 POL 495.exe
Token: SeDebugPrivilege 2008 RegAsm.exe

description	pid	process	target process
PID 1752 set thread context of 2008	1752	POL 495.exe	RegAsm.exe

pid	process
1752	POL 495.exe
2008	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1752	POL 495.exe
Token: SeDebugPrivilege	2008	RegAsm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

POL 495.exe

description	pid	process	target process
PID 1752 wrote to memory of 1500	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 1500	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 1500	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 1500	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 1500	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 1500	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 1500	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe
PID 1752 wrote to memory of 2008	1752	POL 495.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1500

memory/1752-2-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/1752-3-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1752-5-0x00000000009B0000-0x0000000000A3E000-memory.dmp

Filesize
568KB

Download
memory/1752-6-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/1752-7-0x00000000005E0000-0x00000000005EF000-memory.dmp

Filesize
60KB

Download
memory/1752-8-0x0000000004BE5000-0x0000000004BF6000-memory.dmp

Filesize
68KB

Download
memory/2008-9-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2008-10-0x0000000000463D7E-mapping.dmp

Download
memory/2008-11-0x0000000075EB1000-0x0000000075EB3000-memory.dmp

Filesize
8KB

Download
memory/2008-12-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2008-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2008-15-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download