snakekeylogger | 82b5be618f705ff7761c43590eb7dc89a2387512757dcc0df9290f29801b8f41

General

Target

2BABA new file.exe
Size

449KB
MD5

1a403d5b4db5509524bfd552afbc96f1
SHA1

39a3ca238648f4f86741d6b94a190e0379aa7307
SHA256

82b5be618f705ff7761c43590eb7dc89a2387512757dcc0df9290f29801b8f41
SHA512

8de7ab3405bd1160fe09affac878ec8c252853cc6904d784ab1bcb4a5a1f43263ff917727149badcff74ac60443390b66dd5fe2c6400dd2d0805f39bcf5a0099

Score

10^/10

snakekeylogger collection evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.algodontekstil.com
Port:
587
Username:
[email protected]
Password:
Alg001453

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

2BABA new file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	2BABA new file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2BABA new file.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

2BABA new file.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2BABA new file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2BABA new file.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2BABA new file.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org
10 freegeoip.app
11 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2BABA new file.exepowershell.exepowershell.exe

pid process

1468 2BABA new file.exe
564 powershell.exe
868 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2BABA new file.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1468 2BABA new file.exe
Token: SeDebugPrivilege 564 powershell.exe
Token: SeDebugPrivilege 868 powershell.exe

flow	ioc
7	checkip.dyndns.org
10	freegeoip.app
11	freegeoip.app

pid	process
1468	2BABA new file.exe
564	powershell.exe
868	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1468	2BABA new file.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2BABA new file.exe

description	pid	process	target process
PID 1468 wrote to memory of 564	1468	2BABA new file.exe	powershell.exe
PID 1468 wrote to memory of 564	1468	2BABA new file.exe	powershell.exe
PID 1468 wrote to memory of 564	1468	2BABA new file.exe	powershell.exe
PID 1468 wrote to memory of 564	1468	2BABA new file.exe	powershell.exe
PID 1468 wrote to memory of 868	1468	2BABA new file.exe	powershell.exe
PID 1468 wrote to memory of 868	1468	2BABA new file.exe	powershell.exe
PID 1468 wrote to memory of 868	1468	2BABA new file.exe	powershell.exe
PID 1468 wrote to memory of 868	1468	2BABA new file.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

2BABA new file.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2BABA new file.exe

outlook_win_path 1 IoCs

Processes:

2BABA new file.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2BABA new file.exe

C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe
"C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe"
1⤵
- Windows security modification
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

2

T1089

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
0521ce83b8dc37110befb6395108c30a

SHA1
6fdd71d04355edf793e8d11514abfb10f51ae8ab

SHA256
df3b227183340e5d30239e1729c1bc8ec8d52e94f27019d29abb0fd67a52f343

SHA512
0fb717bcbe7c4a3b03f0f10442cf2f7fbe1ade6a4afb99bea4cd360c27db65de487a1fe4b5e5bd64a9c4fd5a21c0a6a474a9c85988d623aa3d83d4e81b4c1858

Download Submit
memory/564-61-0x0000000000000000-mapping.dmp

Download
memory/564-70-0x0000000001E82000-0x0000000001E84000-memory.dmp

Filesize
8KB

Download
memory/564-67-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/564-69-0x0000000001E81000-0x0000000001E82000-memory.dmp

Filesize
4KB

Download
memory/868-68-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/868-62-0x0000000000000000-mapping.dmp

Download
memory/868-71-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/1468-65-0x00000000005E0000-0x00000000005FF000-memory.dmp

Filesize
124KB

Download
memory/1468-60-0x0000000006A60000-0x0000000006B95000-memory.dmp

Filesize
1.2MB

Download
memory/1468-54-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1468-58-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1468-57-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1468-56-0x00000000755A1000-0x00000000755A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads