snakekeylogger | 8b1702fd70eb89fd46daedb3bfb9dd421ed059b6d6e8acdfb04ddc360481e081

General

Target

QUOTATION.exe
Size

1.0MB
MD5

bdc873a7a6e41514faa0d8294731b3b5
SHA1

7230e4e49239643b5c379a8d4d01f6d24fff757e
SHA256

8b1702fd70eb89fd46daedb3bfb9dd421ed059b6d6e8acdfb04ddc360481e081
SHA512

c8d47420885a2ef1644ef237120692f062214ed9fd72e09e285a0a8619df1335ade3219e0b0695ee135d1ca27b26836e5a0b94b0069217ae67c2da6e8833a49e

Score

10^/10

snakekeylogger evasion keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.vivaldi.net
Port:
587
Username:
oluwalogs@vivaldi.net
Password:
oluwagozie123

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

QUOTATION.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	QUOTATION.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	QUOTATION.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 checkip.dyndns.org
16 freegeoip.app
17 freegeoip.app

flow	ioc
13	checkip.dyndns.org
16	freegeoip.app
17	freegeoip.app

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

QUOTATION.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	QUOTATION.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	QUOTATION.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTATION.exe

description pid process target process

PID 3196 set thread context of 1228 3196 QUOTATION.exe QUOTATION.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

QUOTATION.exepowershell.exe

pid process

1228 QUOTATION.exe
2276 powershell.exe
2276 powershell.exe
2276 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeQUOTATION.exe

description pid process

Token: SeDebugPrivilege 2276 powershell.exe
Token: SeDebugPrivilege 1228 QUOTATION.exe

description	pid	process	target process
PID 3196 set thread context of 1228	3196	QUOTATION.exe	QUOTATION.exe

pid	process
1228	QUOTATION.exe
2276	powershell.exe
2276	powershell.exe
2276	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1228	QUOTATION.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

QUOTATION.exe

description	pid	process	target process
PID 3196 wrote to memory of 2276	3196	QUOTATION.exe	powershell.exe
PID 3196 wrote to memory of 2276	3196	QUOTATION.exe	powershell.exe
PID 3196 wrote to memory of 2276	3196	QUOTATION.exe	powershell.exe
PID 3196 wrote to memory of 1228	3196	QUOTATION.exe	QUOTATION.exe
PID 3196 wrote to memory of 1228	3196	QUOTATION.exe	QUOTATION.exe
PID 3196 wrote to memory of 1228	3196	QUOTATION.exe	QUOTATION.exe
PID 3196 wrote to memory of 1228	3196	QUOTATION.exe	QUOTATION.exe
PID 3196 wrote to memory of 1228	3196	QUOTATION.exe	QUOTATION.exe
PID 3196 wrote to memory of 1228	3196	QUOTATION.exe	QUOTATION.exe
PID 3196 wrote to memory of 1228	3196	QUOTATION.exe	QUOTATION.exe
PID 3196 wrote to memory of 1228	3196	QUOTATION.exe	QUOTATION.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION.exe.log
MD5
12557ab909651a6f99d3503d614d3562

SHA1
b86745768059a514bea3a438e1e96086af463246

SHA256
9589c869703e95d40d5870c60f66d8460f7914e9fe8dd579533c84148112babd

SHA512
10cdb2fa7cf054af937b4aeddfe16fe755d6b09db5a51f7052adbf472b4b435e16c141f3712762f3b67f990c3efcfa47659576988e321214c747d6cd98e75521

Download Submit
memory/1228-131-0x000000000041F86E-mapping.dmp

Download
memory/1228-146-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/1228-143-0x0000000005060000-0x000000000555E000-memory.dmp

Filesize
5.0MB

Download
memory/1228-130-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2276-137-0x0000000007790000-0x0000000007791000-memory.dmp

Filesize
4KB

Download
memory/2276-140-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2276-186-0x00000000035F3000-0x00000000035F4000-memory.dmp

Filesize
4KB

Download
memory/2276-171-0x0000000009D10000-0x0000000009D11000-memory.dmp

Filesize
4KB

Download
memory/2276-124-0x0000000000000000-mapping.dmp

Download
memory/2276-170-0x0000000009B60000-0x0000000009B61000-memory.dmp

Filesize
4KB

Download
memory/2276-128-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2276-129-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/2276-165-0x00000000099F0000-0x00000000099F1000-memory.dmp

Filesize
4KB

Download
memory/2276-158-0x0000000009A30000-0x0000000009A63000-memory.dmp

Filesize
204KB

Download
memory/2276-157-0x000000007F520000-0x000000007F521000-memory.dmp

Filesize
4KB

Download
memory/2276-149-0x0000000008A80000-0x0000000008A81000-memory.dmp

Filesize
4KB

Download
memory/2276-138-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/2276-145-0x0000000008760000-0x0000000008761000-memory.dmp

Filesize
4KB

Download
memory/2276-141-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/2276-142-0x00000000035F2000-0x00000000035F3000-memory.dmp

Filesize
4KB

Download
memory/2276-144-0x00000000081E0000-0x00000000081E1000-memory.dmp

Filesize
4KB

Download
memory/3196-117-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/3196-121-0x0000000004960000-0x0000000004E5E000-memory.dmp

Filesize
5.0MB

Download
memory/3196-116-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3196-114-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/3196-118-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/3196-119-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3196-120-0x00000000049B0000-0x00000000049CE000-memory.dmp

Filesize
120KB

Download
memory/3196-125-0x000000000AD00000-0x000000000AD01000-memory.dmp

Filesize
4KB

Download
memory/3196-123-0x0000000007C50000-0x0000000007C81000-memory.dmp

Filesize
196KB

Download
memory/3196-122-0x00000000056E0000-0x0000000005753000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads