snakekeylogger | 6243afcc3184f4bf3f969dd7fed686e57e574d17417ec71351bc71d5adba673d

General

Target

Sample_10120351200_ISO_035117img.exe
Size

833KB
MD5

0d20e6334179eeadad75c218d0d9dca2
SHA1

ab19c8e05121be1bfed70591477610cd12e066ab
SHA256

8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e
SHA512

3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
ilbgone.cyou
Port:
587
Username:
[email protected]
Password:
H3c8T~{Vz%IH

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

1512 update.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1512	update.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
9 freegeoip.app
10 freegeoip.app
16 freegeoip.app

flow	ioc
4	checkip.dyndns.org
9	freegeoip.app
10	freegeoip.app
16	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

Sample_10120351200_ISO_035117img.exeupdate.exe

description	pid	process	target process
PID 1728 set thread context of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1512 set thread context of 1632	1512	update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1428 schtasks.exe
644 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exevbc.exe

pid process

1828 vbc.exe
1632 vbc.exe

pid	process
1428	schtasks.exe
644	schtasks.exe

pid	process
1828	vbc.exe
1632	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Sample_10120351200_ISO_035117img.exevbc.exeupdate.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1728	Sample_10120351200_ISO_035117img.exe
Token: SeDebugPrivilege	1828	vbc.exe
Token: SeDebugPrivilege	1512	update.exe
Token: SeDebugPrivilege	1632	vbc.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

Sample_10120351200_ISO_035117img.execmd.exetaskeng.exeupdate.execmd.exe

description	pid	process	target process
PID 1728 wrote to memory of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1728 wrote to memory of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1728 wrote to memory of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1728 wrote to memory of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1728 wrote to memory of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1728 wrote to memory of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1728 wrote to memory of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1728 wrote to memory of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1728 wrote to memory of 1828	1728	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 1728 wrote to memory of 748	1728	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 1728 wrote to memory of 748	1728	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 1728 wrote to memory of 748	1728	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 1728 wrote to memory of 748	1728	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 1728 wrote to memory of 948	1728	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 1728 wrote to memory of 948	1728	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 1728 wrote to memory of 948	1728	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 1728 wrote to memory of 948	1728	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 748 wrote to memory of 1428	748	cmd.exe	schtasks.exe
PID 748 wrote to memory of 1428	748	cmd.exe	schtasks.exe
PID 748 wrote to memory of 1428	748	cmd.exe	schtasks.exe
PID 748 wrote to memory of 1428	748	cmd.exe	schtasks.exe
PID 560 wrote to memory of 1512	560	taskeng.exe	update.exe
PID 560 wrote to memory of 1512	560	taskeng.exe	update.exe
PID 560 wrote to memory of 1512	560	taskeng.exe	update.exe
PID 560 wrote to memory of 1512	560	taskeng.exe	update.exe
PID 560 wrote to memory of 1512	560	taskeng.exe	update.exe
PID 560 wrote to memory of 1512	560	taskeng.exe	update.exe
PID 560 wrote to memory of 1512	560	taskeng.exe	update.exe
PID 1512 wrote to memory of 1632	1512	update.exe	vbc.exe
PID 1512 wrote to memory of 1632	1512	update.exe	vbc.exe
PID 1512 wrote to memory of 1632	1512	update.exe	vbc.exe
PID 1512 wrote to memory of 1632	1512	update.exe	vbc.exe
PID 1512 wrote to memory of 1632	1512	update.exe	vbc.exe
PID 1512 wrote to memory of 1632	1512	update.exe	vbc.exe
PID 1512 wrote to memory of 1632	1512	update.exe	vbc.exe
PID 1512 wrote to memory of 1632	1512	update.exe	vbc.exe
PID 1512 wrote to memory of 1632	1512	update.exe	vbc.exe
PID 1512 wrote to memory of 916	1512	update.exe	cmd.exe
PID 1512 wrote to memory of 916	1512	update.exe	cmd.exe
PID 1512 wrote to memory of 916	1512	update.exe	cmd.exe
PID 1512 wrote to memory of 916	1512	update.exe	cmd.exe
PID 1512 wrote to memory of 1568	1512	update.exe	cmd.exe
PID 1512 wrote to memory of 1568	1512	update.exe	cmd.exe
PID 1512 wrote to memory of 1568	1512	update.exe	cmd.exe
PID 1512 wrote to memory of 1568	1512	update.exe	cmd.exe
PID 916 wrote to memory of 644	916	cmd.exe	schtasks.exe
PID 916 wrote to memory of 644	916	cmd.exe	schtasks.exe
PID 916 wrote to memory of 644	916	cmd.exe	schtasks.exe
PID 916 wrote to memory of 644	916	cmd.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe
"C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"
2⤵
PID:948

C:\Windows\system32\taskeng.exe
taskeng.exe {9567D6E8-3AE5-4CD2-BF99-BB32F6277D0E} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Users\Admin\AppData\Roaming\update\update.exe
C:\Users\Admin\AppData\Roaming\update\update.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
4⤵
- Creates scheduled task(s)
PID:644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\update\update.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"
3⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\update\update.exe
MD5
0d20e6334179eeadad75c218d0d9dca2

SHA1
ab19c8e05121be1bfed70591477610cd12e066ab

SHA256
8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e

SHA512
3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd

Download Submit
C:\Users\Admin\AppData\Roaming\update\update.exe
MD5
0d20e6334179eeadad75c218d0d9dca2

SHA1
ab19c8e05121be1bfed70591477610cd12e066ab

SHA256
8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e

SHA512
3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd

Download Submit
memory/644-99-0x0000000000000000-mapping.dmp

Download
memory/748-72-0x0000000000000000-mapping.dmp

Download
memory/916-97-0x0000000000000000-mapping.dmp

Download
memory/948-73-0x0000000000000000-mapping.dmp

Download
memory/1428-74-0x0000000000000000-mapping.dmp

Download
memory/1512-79-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1512-77-0x0000000000000000-mapping.dmp

Download
memory/1512-81-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1568-98-0x0000000000000000-mapping.dmp

Download
memory/1632-100-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1632-87-0x00000000004203FE-mapping.dmp

Download
memory/1728-54-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1728-56-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1828-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1828-75-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/1828-58-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/1828-62-0x00000000004203FE-mapping.dmp

Download
memory/1828-57-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/1828-59-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/1828-63-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/1828-70-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1828-60-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/1828-69-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/1828-66-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads