snakekeylogger | fb04731280999bb99a45d6473b6fd1d8a9cad45654ee21d7a5ca89b8a6a7e41e

General

Target

invoice.02 Nazih El Chouli.exe
Size

31KB
MD5

5898734f512fe21e26447c8b28fe802f
SHA1

eefb6ef334e0ae3fe1316256831a087d412f6008
SHA256

fb04731280999bb99a45d6473b6fd1d8a9cad45654ee21d7a5ca89b8a6a7e41e
SHA512

5f1dbfdc7fd4f091b4a531a1101256ff697cf68d46a231cb08919236de97230d7d26ebe5a34142fcc738a737421b12b5589da180581c32e3cedddc8511a75841

Score

10^/10

snakekeylogger keylogger spyware stealer suricata

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
Smtp.vivaldi.net
Port:
587
Username:
samueln@vivaldi.net
Password:
DU5DwYRUQdyQQCt

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
suricata: ET MALWARE DTLoader Binary Request M2
suricata
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 checkip.dyndns.org
14 freegeoip.app
15 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

invoice.02 Nazih El Chouli.exe

description pid process target process

PID 3968 set thread context of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

invoice.02 Nazih El Chouli.exe

pid process

1448 invoice.02 Nazih El Chouli.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

invoice.02 Nazih El Chouli.exeinvoice.02 Nazih El Chouli.exe

description pid process

Token: SeDebugPrivilege 3968 invoice.02 Nazih El Chouli.exe
Token: SeDebugPrivilege 1448 invoice.02 Nazih El Chouli.exe

flow	ioc
12	checkip.dyndns.org
14	freegeoip.app
15	freegeoip.app

description	pid	process	target process
PID 3968 set thread context of 1448	3968	invoice.02 Nazih El Chouli.exe	invoice.02 Nazih El Chouli.exe

pid	process
1448	invoice.02 Nazih El Chouli.exe

description	pid	process
Token: SeDebugPrivilege	3968	invoice.02 Nazih El Chouli.exe
Token: SeDebugPrivilege	1448	invoice.02 Nazih El Chouli.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

invoice.02 Nazih El Chouli.exe

description	pid	process	target process
PID 3968 wrote to memory of 1448	3968	invoice.02 Nazih El Chouli.exe	invoice.02 Nazih El Chouli.exe
PID 3968 wrote to memory of 1448	3968	invoice.02 Nazih El Chouli.exe	invoice.02 Nazih El Chouli.exe
PID 3968 wrote to memory of 1448	3968	invoice.02 Nazih El Chouli.exe	invoice.02 Nazih El Chouli.exe
PID 3968 wrote to memory of 1448	3968	invoice.02 Nazih El Chouli.exe	invoice.02 Nazih El Chouli.exe
PID 3968 wrote to memory of 1448	3968	invoice.02 Nazih El Chouli.exe	invoice.02 Nazih El Chouli.exe
PID 3968 wrote to memory of 1448	3968	invoice.02 Nazih El Chouli.exe	invoice.02 Nazih El Chouli.exe
PID 3968 wrote to memory of 1448	3968	invoice.02 Nazih El Chouli.exe	invoice.02 Nazih El Chouli.exe
PID 3968 wrote to memory of 1448	3968	invoice.02 Nazih El Chouli.exe	invoice.02 Nazih El Chouli.exe

C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.02 Nazih El Chouli.exe.log
MD5
4d3fa08fb66fd6514e34ae902f8d2292

SHA1
46b598199af1d91abd2534dbc0cbcc7022e51c88

SHA256
3182d0e332f73af730d569df96b097a77a5cd98c91a56d5c57b85a105332a753

SHA512
7fa1c64c5555837286d4bf9448c5a2bac9ebb62c3966eff063f7fe4fa5c4076930c6505f04940fb4b38ea240f319b94fde4de4c3d7ac5c1f83fce99b33f6620a

Download Submit
memory/1448-126-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/1448-121-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1448-122-0x000000000041F82E-mapping.dmp

Download
memory/1448-128-0x0000000005260000-0x000000000575E000-memory.dmp

Filesize
5.0MB

Download
memory/1448-129-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/1448-130-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/1448-131-0x0000000006430000-0x0000000006431000-memory.dmp

Filesize
4KB

Download
memory/3968-117-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3968-118-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/3968-119-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/3968-120-0x0000000006140000-0x0000000006147000-memory.dmp

Filesize
28KB

Download
memory/3968-116-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3968-114-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing