snakekeylogger | e4023297b3b3918787683d59c9ebf0c5786cdf50f42f54c50aa5571e7dae29f7

General

Target

S09900090K.exe
Size

206KB
MD5

717af05a9247debb55e8a57cb5096df4
SHA1

c0f8e0518f372e52fa5245c1ee3992ac02e15a5f
SHA256

e4023297b3b3918787683d59c9ebf0c5786cdf50f42f54c50aa5571e7dae29f7
SHA512

13a7c5dfe3474f3c4b17a52525203953adb82a82f11e6a688543d00afc6f00eacdced92990802622c885ee88fe01c73d6297d9de6db512f282d35544a243ea15

Score

10^/10

snakekeylogger keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.1and1.com
Port:
587
Username:
[email protected]
Password:
Andres1.2

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Loads dropped DLL 2 IoCs

Processes:

S09900090K.exe

pid	Process
3972	S09900090K.exe
3972	S09900090K.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

S09900090K.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\keeptnls = "C:\\Users\\Admin\\AppData\\Roaming\\nfucibtjl\\lfyinhpbx.exe"	S09900090K.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
7	checkip.dyndns.org
10	freegeoip.app
11	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

Processes:

S09900090K.exe

description	pid	Process	procid_target
PID 3972 set thread context of 2432	3972	S09900090K.exe	75

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

MSBuild.exe

pid	Process
2432	MSBuild.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

S09900090K.exe

pid	Process
3972	S09900090K.exe
3972	S09900090K.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description	pid	Process
Token: SeDebugPrivilege	2432	MSBuild.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

S09900090K.exe

description	pid	Process	procid_target
PID 3972 wrote to memory of 2432	3972	S09900090K.exe	75
PID 3972 wrote to memory of 2432	3972	S09900090K.exe	75
PID 3972 wrote to memory of 2432	3972	S09900090K.exe	75
PID 3972 wrote to memory of 2432	3972	S09900090K.exe	75

C:\Users\Admin\AppData\Local\Temp\S09900090K.exe
"C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\S09900090K.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsw1767.tmp\System.dll

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsw1767.tmp\System.dll

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/2432-116-0x000000000016EFFE-mapping.dmp

Download
memory/2432-117-0x0000000000150000-0x0000000000174000-memory.dmp

Filesize
144KB

Download
memory/2432-119-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2432-120-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/2432-121-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/2432-123-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/2432-122-0x00000000049F0000-0x0000000004EEE000-memory.dmp

Filesize
5.0MB

Download
memory/2432-124-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads