snakekeylogger | db27960e5407802bd8416782c93898baf8c89e240348db47870ef55091195feb

Analysis

max time kernel
100s
max time network
184s
platform
windows7_x64
resource
win7v20210408
submitted
28-07-2021 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Number of Package.xlsx
Size

718KB
MD5

a247cc8b5eb2f580aa454b3846c3ad36
SHA1

415bb2fdedf27176947e557ac969a09b9e9d035a
SHA256

db27960e5407802bd8416782c93898baf8c89e240348db47870ef55091195feb
SHA512

31f99e8545b8bc6254a498d590c6b79ded8bc7213f1f407652cfc6d36702b5c6bd5918add236d9d50085ccb8d97f0b6ca721e192aed06d4e0c0e3e606c4de4e8

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
bh-16.webhostbox.net
Port:
587
Username:
whesilolog@miratechs.gq
Password:
7213575aceACE@#$

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/936-70-0x00000000004E0000-0x00000000004EB000-memory.dmp	CustAttr

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 1544 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

whesilo7441.exewhesilo7441.exe

pid process

936 whesilo7441.exe
1084 whesilo7441.exe
Loads dropped DLL 6 IoCs

Processes:

EQNEDT32.EXEWerFault.exe

pid process

1544 EQNEDT32.EXE
2008 WerFault.exe
2008 WerFault.exe
2008 WerFault.exe
2008 WerFault.exe
2008 WerFault.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

whesilo7441.exe

description pid process target process

PID 936 set thread context of 1084 936 whesilo7441.exe whesilo7441.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2008 1084 WerFault.exe whesilo7441.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1544 EQNEDT32.EXE

flow	pid	process
5	1544	EQNEDT32.EXE

pid	process
936	whesilo7441.exe
1084	whesilo7441.exe

pid	process
1544	EQNEDT32.EXE
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe

flow	ioc
6	checkip.dyndns.org

description	pid	process	target process
PID 936 set thread context of 1084	936	whesilo7441.exe	whesilo7441.exe

pid	pid_target	process	target process
2008	1084	WerFault.exe	whesilo7441.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1544	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

332 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

whesilo7441.exeWerFault.exe

pid process

1084 whesilo7441.exe
2008 WerFault.exe
2008 WerFault.exe
2008 WerFault.exe
2008 WerFault.exe
2008 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

whesilo7441.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1084 whesilo7441.exe
Token: SeDebugPrivilege 2008 WerFault.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

332 EXCEL.EXE
332 EXCEL.EXE
332 EXCEL.EXE

pid	process
332	EXCEL.EXE

pid	process
1084	whesilo7441.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1084	whesilo7441.exe
Token: SeDebugPrivilege	2008	WerFault.exe

pid	process
332	EXCEL.EXE
332	EXCEL.EXE
332	EXCEL.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

EQNEDT32.EXEwhesilo7441.exewhesilo7441.exe

description	pid	process	target process
PID 1544 wrote to memory of 936	1544	EQNEDT32.EXE	whesilo7441.exe
PID 1544 wrote to memory of 936	1544	EQNEDT32.EXE	whesilo7441.exe
PID 1544 wrote to memory of 936	1544	EQNEDT32.EXE	whesilo7441.exe
PID 1544 wrote to memory of 936	1544	EQNEDT32.EXE	whesilo7441.exe
PID 936 wrote to memory of 1084	936	whesilo7441.exe	whesilo7441.exe
PID 936 wrote to memory of 1084	936	whesilo7441.exe	whesilo7441.exe
PID 936 wrote to memory of 1084	936	whesilo7441.exe	whesilo7441.exe
PID 936 wrote to memory of 1084	936	whesilo7441.exe	whesilo7441.exe
PID 936 wrote to memory of 1084	936	whesilo7441.exe	whesilo7441.exe
PID 936 wrote to memory of 1084	936	whesilo7441.exe	whesilo7441.exe
PID 936 wrote to memory of 1084	936	whesilo7441.exe	whesilo7441.exe
PID 936 wrote to memory of 1084	936	whesilo7441.exe	whesilo7441.exe
PID 936 wrote to memory of 1084	936	whesilo7441.exe	whesilo7441.exe
PID 1084 wrote to memory of 2008	1084	whesilo7441.exe	WerFault.exe
PID 1084 wrote to memory of 2008	1084	whesilo7441.exe	WerFault.exe
PID 1084 wrote to memory of 2008	1084	whesilo7441.exe	WerFault.exe
PID 1084 wrote to memory of 2008	1084	whesilo7441.exe	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Number of Package.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:332

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Roaming\whesilo7441.exe
"C:\Users\Admin\AppData\Roaming\whesilo7441.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Roaming\whesilo7441.exe
"C:\Users\Admin\AppData\Roaming\whesilo7441.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1004
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\whesilo7441.exe
MD5
573a705d5e0d497295ea03ac32056f8f

SHA1
22da991da46c925251c0d509cdaa6cad50e3ebe1

SHA256
74f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3

SHA512
59399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515

Download Submit
C:\Users\Admin\AppData\Roaming\whesilo7441.exe
MD5
573a705d5e0d497295ea03ac32056f8f

SHA1
22da991da46c925251c0d509cdaa6cad50e3ebe1

SHA256
74f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3

SHA512
59399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515

Download Submit
C:\Users\Admin\AppData\Roaming\whesilo7441.exe
MD5
573a705d5e0d497295ea03ac32056f8f

SHA1
22da991da46c925251c0d509cdaa6cad50e3ebe1

SHA256
74f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3

SHA512
59399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515

Download Submit
\Users\Admin\AppData\Roaming\whesilo7441.exe
MD5
573a705d5e0d497295ea03ac32056f8f

SHA1
22da991da46c925251c0d509cdaa6cad50e3ebe1

SHA256
74f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3

SHA512
59399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515

Download Submit
\Users\Admin\AppData\Roaming\whesilo7441.exe
MD5
573a705d5e0d497295ea03ac32056f8f

SHA1
22da991da46c925251c0d509cdaa6cad50e3ebe1

SHA256
74f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3

SHA512
59399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515

Download Submit
\Users\Admin\AppData\Roaming\whesilo7441.exe
MD5
573a705d5e0d497295ea03ac32056f8f

SHA1
22da991da46c925251c0d509cdaa6cad50e3ebe1

SHA256
74f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3

SHA512
59399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515

Download Submit
\Users\Admin\AppData\Roaming\whesilo7441.exe
MD5
573a705d5e0d497295ea03ac32056f8f

SHA1
22da991da46c925251c0d509cdaa6cad50e3ebe1

SHA256
74f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3

SHA512
59399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515

Download Submit
\Users\Admin\AppData\Roaming\whesilo7441.exe
MD5
573a705d5e0d497295ea03ac32056f8f

SHA1
22da991da46c925251c0d509cdaa6cad50e3ebe1

SHA256
74f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3

SHA512
59399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515

Download Submit
\Users\Admin\AppData\Roaming\whesilo7441.exe
MD5
573a705d5e0d497295ea03ac32056f8f

SHA1
22da991da46c925251c0d509cdaa6cad50e3ebe1

SHA256
74f9d0543c52f4e3cc068134a69edaea6af7d715874efc4acd643991f28f3de3

SHA512
59399a3c87b2157485ca25899c018d98c8dea6572a918bb5c2984f6b24c86fbe2e76fac87625ab05e782a4f1ca655eb71c1a225ccccc25e722344294b22fa515

Download Submit
memory/332-86-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/332-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/332-60-0x0000000071211000-0x0000000071213000-memory.dmp

Filesize
8KB

Download
memory/332-59-0x000000002F391000-0x000000002F394000-memory.dmp

Filesize
12KB

Download
memory/936-72-0x0000000002040000-0x0000000002066000-memory.dmp

Filesize
152KB

Download
memory/936-71-0x0000000004F10000-0x0000000004F73000-memory.dmp

Filesize
396KB

Download
memory/936-70-0x00000000004E0000-0x00000000004EB000-memory.dmp

Filesize
44KB

Download
memory/936-69-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/936-67-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/936-64-0x0000000000000000-mapping.dmp

Download
memory/1084-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1084-74-0x000000000041F89E-mapping.dmp

Download
memory/1084-76-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1084-78-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1544-62-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/2008-79-0x0000000000000000-mapping.dmp

Download
memory/2008-85-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download