snakekeylogger | 7598d6cadbbded8074763a1e8b0e8c24f125c0ceaf194c9f386acf9e8a811a28

General

Target

consignment details.exe
Size

174KB
MD5

d8a960f613e009eef9f81887a39e7cd0
SHA1

52e658fc0d3d436594c06d1b9a75d2c065622d9f
SHA256

7598d6cadbbded8074763a1e8b0e8c24f125c0ceaf194c9f386acf9e8a811a28
SHA512

441abf3939ada9b4e33f1c6452715295bc375559fb96ff39d15975417eaac78832d97b9b6dcbc67629de5803995a541ca90129fd1c7dae13320c107e8fc9e8ea

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
msonsgroup.in
Port:
587
Username:
speak@msonsgroup.in
Password:
speak2424@

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Loads dropped DLL 2 IoCs

Processes:

consignment details.exe

pid process

3164 consignment details.exe
3164 consignment details.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 freegeoip.app
8 checkip.dyndns.org
12 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

consignment details.exe

description pid process target process

PID 3164 set thread context of 3160 3164 consignment details.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
13	freegeoip.app
8	checkip.dyndns.org
12	freegeoip.app

description	pid	process	target process
PID 3164 set thread context of 3160	3164	consignment details.exe	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

consignment details.exeMSBuild.exe

pid	process
3164	consignment details.exe
3164	consignment details.exe
3164	consignment details.exe
3164	consignment details.exe
3164	consignment details.exe
3164	consignment details.exe
3164	consignment details.exe
3164	consignment details.exe
3160	MSBuild.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

consignment details.exe

pid process

3164 consignment details.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 3160 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	3160	MSBuild.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

consignment details.exe

description	pid	process	target process
PID 3164 wrote to memory of 3160	3164	consignment details.exe	MSBuild.exe
PID 3164 wrote to memory of 3160	3164	consignment details.exe	MSBuild.exe
PID 3164 wrote to memory of 3160	3164	consignment details.exe	MSBuild.exe
PID 3164 wrote to memory of 3160	3164	consignment details.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\consignment details.exe
"C:\Users\Admin\AppData\Local\Temp\consignment details.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\consignment details.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsxD26.tmp\System.dll
MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
\Users\Admin\AppData\Local\Temp\nsxD26.tmp\System.dll
MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
memory/3160-116-0x000000000041F85E-mapping.dmp

Download
memory/3160-117-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3160-119-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3160-120-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3160-121-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/3160-122-0x0000000005F60000-0x0000000005F61000-memory.dmp

Filesize
4KB

Download
memory/3160-123-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/3160-124-0x0000000005E00000-0x0000000005E01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing