snakekeylogger | d3ac98cf64ca2fca455b2e4f002c3381bcee699cf64bbfaa076222209f834b1a

General

Target

RFQ Document.exe
Size

336KB
MD5

64468b2ab541687572ce6b435b41f2bd
SHA1

893ae234d351c762ab388a7337c625e4b213da6e
SHA256

d3ac98cf64ca2fca455b2e4f002c3381bcee699cf64bbfaa076222209f834b1a
SHA512

317c14df6c6d1dd3b120a28743eface80474d7140515d61d0a00c326a923f56c71d7135907e2c2d5f17cba1b5746bb19ae5262cf656a098ebd94adba82cc2db8

Score

10^/10

snakekeylogger keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1926537393:AAHGSUhtLeQU8qms_2blDH9qpvo-fEuwi9E/sendMessage?chat_id=1664748411

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Loads dropped DLL 1 IoCs

Processes:

RFQ Document.exe

pid process

3624 RFQ Document.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org
5 freegeoip.app
6 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ Document.exe

description pid process target process

PID 3624 set thread context of 3728 3624 RFQ Document.exe RFQ Document.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RFQ Document.exe

pid process

3728 RFQ Document.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RFQ Document.exe

description pid process

Token: SeDebugPrivilege 3728 RFQ Document.exe

pid	process
3624	RFQ Document.exe

flow	ioc
3	checkip.dyndns.org
5	freegeoip.app
6	freegeoip.app

description	pid	process	target process
PID 3624 set thread context of 3728	3624	RFQ Document.exe	RFQ Document.exe

pid	process
3728	RFQ Document.exe

description	pid	process
Token: SeDebugPrivilege	3728	RFQ Document.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

RFQ Document.exe

description	pid	process	target process
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe
PID 3624 wrote to memory of 3728	3624	RFQ Document.exe	RFQ Document.exe

C:\Users\Admin\AppData\Local\Temp\RFQ Document.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ Document.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Local\Temp\RFQ Document.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ Document.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nse935D.tmp\tkwj.dll
MD5
a4b645ed197074158d7159bd47fa101b

SHA1
e50e421afba9603d2e57137ff72aca6256c14cf1

SHA256
15aef55d8e9f0d4ad435e111dc346fdeb294a77ea06b8b053424b11c3cd6fbcd

SHA512
3cc5e9fd59dfd4e40f691d3de9f5b9c809f5c4a3643d03606133cc608619923f96e4058598572bc716bfae70173c50afdd74c32a1d258ab036f3da847eb86155

Download Submit
memory/3728-116-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3728-117-0x000000000040188B-mapping.dmp

Download
memory/3728-118-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3728-119-0x00000000022A0000-0x00000000022D6000-memory.dmp

Filesize
216KB

Download
memory/3728-121-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/3728-122-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/3728-124-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/3728-123-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3728-125-0x00000000049B3000-0x00000000049B4000-memory.dmp

Filesize
4KB

Download
memory/3728-126-0x00000000049B4000-0x00000000049B5000-memory.dmp

Filesize
4KB

Download
memory/3728-127-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3728-128-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/3728-129-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing