snakekeylogger | 20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9

General

Target

ISO-77002387418311pdf.exe
Size

858KB
MD5

2ea15aa68317ad61bdcff453f0750281
SHA1

10bfcd418e65f26a49f8c8c589352872d32d0492
SHA256

20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9
SHA512

5b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
restd.xyz
Port:
587
Username:
amp@netjul.club
Password:
gg@6{ZL65h,*

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Executes dropped EXE 1 IoCs

Processes:

dfxzdg.exe

pid process

628 dfxzdg.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
628	dfxzdg.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
8 freegeoip.app
9 freegeoip.app
14 freegeoip.app

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app
14	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

ISO-77002387418311pdf.exedfxzdg.exe

description	pid	process	target process
PID 1428 set thread context of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 628 set thread context of 932	628	dfxzdg.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1420 schtasks.exe
1748 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exevbc.exe

pid process

592 vbc.exe
932 vbc.exe

pid	process
1420	schtasks.exe
1748	schtasks.exe

pid	process
592	vbc.exe
932	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ISO-77002387418311pdf.exevbc.exedfxzdg.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1428	ISO-77002387418311pdf.exe
Token: SeDebugPrivilege	592	vbc.exe
Token: SeDebugPrivilege	628	dfxzdg.exe
Token: SeDebugPrivilege	932	vbc.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

ISO-77002387418311pdf.execmd.exetaskeng.exedfxzdg.execmd.exe

description	pid	process	target process
PID 1428 wrote to memory of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 1428 wrote to memory of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 1428 wrote to memory of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 1428 wrote to memory of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 1428 wrote to memory of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 1428 wrote to memory of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 1428 wrote to memory of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 1428 wrote to memory of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 1428 wrote to memory of 592	1428	ISO-77002387418311pdf.exe	vbc.exe
PID 1428 wrote to memory of 1648	1428	ISO-77002387418311pdf.exe	cmd.exe
PID 1428 wrote to memory of 1648	1428	ISO-77002387418311pdf.exe	cmd.exe
PID 1428 wrote to memory of 1648	1428	ISO-77002387418311pdf.exe	cmd.exe
PID 1428 wrote to memory of 1648	1428	ISO-77002387418311pdf.exe	cmd.exe
PID 1428 wrote to memory of 700	1428	ISO-77002387418311pdf.exe	cmd.exe
PID 1428 wrote to memory of 700	1428	ISO-77002387418311pdf.exe	cmd.exe
PID 1428 wrote to memory of 700	1428	ISO-77002387418311pdf.exe	cmd.exe
PID 1428 wrote to memory of 700	1428	ISO-77002387418311pdf.exe	cmd.exe
PID 1648 wrote to memory of 1420	1648	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 1420	1648	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 1420	1648	cmd.exe	schtasks.exe
PID 1648 wrote to memory of 1420	1648	cmd.exe	schtasks.exe
PID 1468 wrote to memory of 628	1468	taskeng.exe	dfxzdg.exe
PID 1468 wrote to memory of 628	1468	taskeng.exe	dfxzdg.exe
PID 1468 wrote to memory of 628	1468	taskeng.exe	dfxzdg.exe
PID 1468 wrote to memory of 628	1468	taskeng.exe	dfxzdg.exe
PID 628 wrote to memory of 932	628	dfxzdg.exe	vbc.exe
PID 628 wrote to memory of 932	628	dfxzdg.exe	vbc.exe
PID 628 wrote to memory of 932	628	dfxzdg.exe	vbc.exe
PID 628 wrote to memory of 932	628	dfxzdg.exe	vbc.exe
PID 628 wrote to memory of 932	628	dfxzdg.exe	vbc.exe
PID 628 wrote to memory of 932	628	dfxzdg.exe	vbc.exe
PID 628 wrote to memory of 932	628	dfxzdg.exe	vbc.exe
PID 628 wrote to memory of 932	628	dfxzdg.exe	vbc.exe
PID 628 wrote to memory of 932	628	dfxzdg.exe	vbc.exe
PID 628 wrote to memory of 1588	628	dfxzdg.exe	cmd.exe
PID 628 wrote to memory of 1588	628	dfxzdg.exe	cmd.exe
PID 628 wrote to memory of 1588	628	dfxzdg.exe	cmd.exe
PID 628 wrote to memory of 1588	628	dfxzdg.exe	cmd.exe
PID 628 wrote to memory of 1992	628	dfxzdg.exe	cmd.exe
PID 628 wrote to memory of 1992	628	dfxzdg.exe	cmd.exe
PID 628 wrote to memory of 1992	628	dfxzdg.exe	cmd.exe
PID 628 wrote to memory of 1992	628	dfxzdg.exe	cmd.exe
PID 1588 wrote to memory of 1748	1588	cmd.exe	schtasks.exe
PID 1588 wrote to memory of 1748	1588	cmd.exe	schtasks.exe
PID 1588 wrote to memory of 1748	1588	cmd.exe	schtasks.exe
PID 1588 wrote to memory of 1748	1588	cmd.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Users\Admin\AppData\Local\Temp\ISO-77002387418311pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ISO-77002387418311pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\ISO-77002387418311pdf.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
2⤵
PID:700

C:\Windows\system32\taskeng.exe
taskeng.exe {57B41289-16E8-49FB-A134-AE5778DF3BED} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe" "C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe"
3⤵
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
MD5
2ea15aa68317ad61bdcff453f0750281

SHA1
10bfcd418e65f26a49f8c8c589352872d32d0492

SHA256
20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9

SHA512
5b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8

Download Submit
C:\Users\Admin\AppData\Roaming\dfxzdg\dfxzdg.exe
MD5
2ea15aa68317ad61bdcff453f0750281

SHA1
10bfcd418e65f26a49f8c8c589352872d32d0492

SHA256
20351bfb18a4c774795e240a1a143754493ce9c89edf007c5cb110e4bce447a9

SHA512
5b92dfebaffc4c4fefd0ea0bbd85f6add5480f4039d5b940e26c2ade527719e73acf77302bf5853864d7ed0243af09b2f15b58312d1c0a6f62e6bae29c01b7e8

Download Submit
memory/592-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/592-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/592-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/592-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/592-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/592-62-0x00000000004203EE-mapping.dmp

Download
memory/592-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/592-68-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/628-74-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/628-70-0x0000000000000000-mapping.dmp

Download
memory/628-72-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/700-66-0x0000000000000000-mapping.dmp

Download
memory/932-86-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/932-80-0x00000000004203EE-mapping.dmp

Download
memory/1420-67-0x0000000000000000-mapping.dmp

Download
memory/1428-54-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1428-56-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1588-83-0x0000000000000000-mapping.dmp

Download
memory/1648-65-0x0000000000000000-mapping.dmp

Download
memory/1748-85-0x0000000000000000-mapping.dmp

Download
memory/1992-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads