snakekeylogger | 6243afcc3184f4bf3f969dd7fed686e57e574d17417ec71351bc71d5adba673d

General

Target

Sample_10120351200_ISO_035117img.exe
Size

833KB
MD5

0d20e6334179eeadad75c218d0d9dca2
SHA1

ab19c8e05121be1bfed70591477610cd12e066ab
SHA256

8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e
SHA512

3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
ilbgone.cyou
Port:
587
Username:
[email protected]
Password:
H3c8T~{Vz%IH

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

2952 update.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2952	update.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

vbc.exevbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 checkip.dyndns.org
24 freegeoip.app
25 freegeoip.app
28 freegeoip.app

flow	ioc
22	checkip.dyndns.org
24	freegeoip.app
25	freegeoip.app
28	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

Sample_10120351200_ISO_035117img.exeupdate.exe

description	pid	process	target process
PID 480 set thread context of 676	480	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 2952 set thread context of 2032	2952	update.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

820 schtasks.exe
3140 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exevbc.exe

pid process

676 vbc.exe
2032 vbc.exe

pid	process
820	schtasks.exe
3140	schtasks.exe

pid	process
676	vbc.exe
2032	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Sample_10120351200_ISO_035117img.exevbc.exeupdate.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	480	Sample_10120351200_ISO_035117img.exe
Token: SeDebugPrivilege	676	vbc.exe
Token: SeDebugPrivilege	2952	update.exe
Token: SeDebugPrivilege	2032	vbc.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

Sample_10120351200_ISO_035117img.execmd.exeupdate.execmd.exe

description	pid	process	target process
PID 480 wrote to memory of 676	480	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 480 wrote to memory of 676	480	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 480 wrote to memory of 676	480	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 480 wrote to memory of 676	480	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 480 wrote to memory of 676	480	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 480 wrote to memory of 676	480	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 480 wrote to memory of 676	480	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 480 wrote to memory of 676	480	Sample_10120351200_ISO_035117img.exe	vbc.exe
PID 480 wrote to memory of 1020	480	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 480 wrote to memory of 1020	480	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 480 wrote to memory of 1020	480	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 480 wrote to memory of 1452	480	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 480 wrote to memory of 1452	480	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 480 wrote to memory of 1452	480	Sample_10120351200_ISO_035117img.exe	cmd.exe
PID 1020 wrote to memory of 820	1020	cmd.exe	schtasks.exe
PID 1020 wrote to memory of 820	1020	cmd.exe	schtasks.exe
PID 1020 wrote to memory of 820	1020	cmd.exe	schtasks.exe
PID 2952 wrote to memory of 2032	2952	update.exe	vbc.exe
PID 2952 wrote to memory of 2032	2952	update.exe	vbc.exe
PID 2952 wrote to memory of 2032	2952	update.exe	vbc.exe
PID 2952 wrote to memory of 2032	2952	update.exe	vbc.exe
PID 2952 wrote to memory of 2032	2952	update.exe	vbc.exe
PID 2952 wrote to memory of 2032	2952	update.exe	vbc.exe
PID 2952 wrote to memory of 2032	2952	update.exe	vbc.exe
PID 2952 wrote to memory of 2032	2952	update.exe	vbc.exe
PID 2952 wrote to memory of 2344	2952	update.exe	cmd.exe
PID 2952 wrote to memory of 2344	2952	update.exe	cmd.exe
PID 2952 wrote to memory of 2344	2952	update.exe	cmd.exe
PID 2952 wrote to memory of 3572	2952	update.exe	cmd.exe
PID 2952 wrote to memory of 3572	2952	update.exe	cmd.exe
PID 2952 wrote to memory of 3572	2952	update.exe	cmd.exe
PID 2344 wrote to memory of 3140	2344	cmd.exe	schtasks.exe
PID 2344 wrote to memory of 3140	2344	cmd.exe	schtasks.exe
PID 2344 wrote to memory of 3140	2344	cmd.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vbc.exe

C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe
"C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
3⤵
- Creates scheduled task(s)
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Sample_10120351200_ISO_035117img.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"
2⤵
PID:1452

C:\Users\Admin\AppData\Roaming\update\update.exe
C:\Users\Admin\AppData\Roaming\update\update.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\update\update.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\update\update.exe" "C:\Users\Admin\AppData\Roaming\update\update.exe"
2⤵
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\update\update.exe
MD5
0d20e6334179eeadad75c218d0d9dca2

SHA1
ab19c8e05121be1bfed70591477610cd12e066ab

SHA256
8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e

SHA512
3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd

Download Submit
C:\Users\Admin\AppData\Roaming\update\update.exe
MD5
0d20e6334179eeadad75c218d0d9dca2

SHA1
ab19c8e05121be1bfed70591477610cd12e066ab

SHA256
8b94440478e3c9fd0991d121ef5ab7144425da4b074a65d93fd9111a515c0b8e

SHA512
3f5672aafefbaf9156a0cda170360eb5fa43e1907e7966c041c2f870a2af0494bc9315c57fb85840ce3e7b4c02c7bfe5b85c023d8759c26da5605a0762d800fd

Download Submit
memory/480-117-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/480-118-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/480-119-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/480-120-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/480-121-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/480-115-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/676-122-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/676-124-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/676-126-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/676-130-0x0000000009620000-0x0000000009621000-memory.dmp

Filesize
4KB

Download
memory/676-131-0x0000000009540000-0x0000000009A3E000-memory.dmp

Filesize
5.0MB

Download
memory/676-125-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/676-123-0x00000000004203FE-mapping.dmp

Download
memory/676-135-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/820-134-0x0000000000000000-mapping.dmp

Download
memory/1020-132-0x0000000000000000-mapping.dmp

Download
memory/1452-133-0x0000000000000000-mapping.dmp

Download
memory/2032-860-0x00000000004203FE-mapping.dmp

Download
memory/2032-1463-0x0000000009750000-0x0000000009C4E000-memory.dmp

Filesize
5.0MB

Download
memory/2344-868-0x0000000000000000-mapping.dmp

Download
memory/2952-858-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/3140-870-0x0000000000000000-mapping.dmp

Download
memory/3572-869-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads