snakekeylogger | 47ffaf572157824fb5a40a2706bd72f3e0e43090c621c9d676031fd80bb35fe5

General

Target

PAYMENT DETAILS.exe
Size

576KB
MD5

f58246abe4c6c20a44a110137d141310
SHA1

5fac0ab48685e8154bfc3cd3a7fe36f092d990b8
SHA256

47ffaf572157824fb5a40a2706bd72f3e0e43090c621c9d676031fd80bb35fe5
SHA512

2ffee4c3994506fdbe3da6aeb7844868b7f12989d3f1717a9d80f1d260cf17340adc5c936ee6dcdf9c24a77ff8f7f375563e88116f08cb75e7f96899948362f1

Score

10^/10

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1220-8-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger
behavioral1/memory/1220-9-0x0000000000463E5E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1220-12-0x0000000000400000-0x0000000000468000-memory.dmp	family_snakekeylogger

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1204-5-0x0000000004730000-0x00000000047BE000-memory.dmp	beds_protector

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 checkip.dyndns.org
10 freegeoip.app
11 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT DETAILS.exe

description pid process target process

PID 1204 set thread context of 1220 1204 PAYMENT DETAILS.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

1220 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 1220 RegAsm.exe

description	pid	process	target process
PID 1204 set thread context of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe

pid	process
1220	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1220	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PAYMENT DETAILS.exe

description	pid	process	target process
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe
PID 1204 wrote to memory of 1220	1204	PAYMENT DETAILS.exe	RegAsm.exe

memory/1204-2-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1204-3-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1204-5-0x0000000004730000-0x00000000047BE000-memory.dmp

Filesize
568KB

Download
memory/1204-6-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1204-7-0x0000000000560000-0x000000000056F000-memory.dmp

Filesize
60KB

Download
memory/1204-14-0x0000000000695000-0x00000000006A6000-memory.dmp

Filesize
68KB

Download
memory/1220-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1220-9-0x0000000000463E5E-mapping.dmp

Download
memory/1220-10-0x00000000765E1000-0x00000000765E3000-memory.dmp

Filesize
8KB

Download
memory/1220-11-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/1220-12-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1220-15-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download