snakekeylogger | a8aad152f516add6a277e2634baa324b105a90c3b02935aa2fa11ea4f0c4667e

General

Target

POL 495.exe
Size

575KB
MD5

3e8d7d953385247857ff9800b08c71fa
SHA1

4d40b4b61bfda3f6c2d560f69259ec27d5f3b06a
SHA256

a8aad152f516add6a277e2634baa324b105a90c3b02935aa2fa11ea4f0c4667e
SHA512

0e7f75494177f706299ce5d947a26557e8c1320bed6c003b1daf87da5bb676bcdea3fb26ed57d9765054574caf91c279b0d0b7456a1cdce93613b3f08a39c620

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/60-15-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger
behavioral2/memory/60-16-0x0000000000463D7E-mapping.dmp	family_snakekeylogger

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/1180-7-0x0000000005310000-0x000000000539E000-memory.dmp	beds_protector

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 checkip.dyndns.org
11 freegeoip.app
12 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

POL 495.exe

description pid process target process

PID 1180 set thread context of 60 1180 POL 495.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

60 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 60 RegAsm.exe

flow	ioc
8	checkip.dyndns.org
11	freegeoip.app
12	freegeoip.app

description	pid	process	target process
PID 1180 set thread context of 60	1180	POL 495.exe	RegAsm.exe

pid	process
60	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	60	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

POL 495.exe

description	pid	process	target process
PID 1180 wrote to memory of 60	1180	POL 495.exe	RegAsm.exe
PID 1180 wrote to memory of 60	1180	POL 495.exe	RegAsm.exe
PID 1180 wrote to memory of 60	1180	POL 495.exe	RegAsm.exe
PID 1180 wrote to memory of 60	1180	POL 495.exe	RegAsm.exe
PID 1180 wrote to memory of 60	1180	POL 495.exe	RegAsm.exe
PID 1180 wrote to memory of 60	1180	POL 495.exe	RegAsm.exe
PID 1180 wrote to memory of 60	1180	POL 495.exe	RegAsm.exe
PID 1180 wrote to memory of 60	1180	POL 495.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\POL 495.exe
"C:\Users\Admin\AppData\Local\Temp\POL 495.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/60-23-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/60-22-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/60-17-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/60-16-0x0000000000463D7E-mapping.dmp

Download
memory/1180-7-0x0000000005310000-0x000000000539E000-memory.dmp

Filesize
568KB

Download
memory/1180-9-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1180-10-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/1180-11-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/1180-12-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1180-13-0x00000000054F3000-0x00000000054F5000-memory.dmp

Filesize
8KB

Download
memory/1180-14-0x00000000057A0000-0x00000000057AF000-memory.dmp

Filesize
60KB

Download
memory/1180-8-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/1180-2-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/1180-6-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1180-5-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/1180-3-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads