snakekeylogger | 1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

General

Target

a28c434e703d9d0961f526f87a61109c.exe
Size

662KB
MD5

a28c434e703d9d0961f526f87a61109c
SHA1

c18ce22d993ee202d7c4e91aeda8f602a1ddb054
SHA256

1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30
SHA512

a380bd060f69d0813fa1c1141fc960225fbeb1a13195ed7349a2d0f7d3ad72e9b37df4f2f8afe45ac8b6bf4997fdc5bac69d9ec93123a1ef5e8f0871dc29e72d

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
octfirr.shop
Port:
587
Username:
income@octfirr.shop
Password:
oPU]A^_2)Udl

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

a28c434e703d9d0961f526f87a61109c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a28c434e703d9d0961f526f87a61109c.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a28c434e703d9d0961f526f87a61109c.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a28c434e703d9d0961f526f87a61109c.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 checkip.dyndns.org
25 freegeoip.app
26 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

a28c434e703d9d0961f526f87a61109c.exe

description pid process target process

PID 3672 set thread context of 972 3672 a28c434e703d9d0961f526f87a61109c.exe a28c434e703d9d0961f526f87a61109c.exe

flow	ioc
22	checkip.dyndns.org
25	freegeoip.app
26	freegeoip.app

description	pid	process	target process
PID 3672 set thread context of 972	3672	a28c434e703d9d0961f526f87a61109c.exe	a28c434e703d9d0961f526f87a61109c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe

pid	process
3672	a28c434e703d9d0961f526f87a61109c.exe
3672	a28c434e703d9d0961f526f87a61109c.exe
3672	a28c434e703d9d0961f526f87a61109c.exe
972	a28c434e703d9d0961f526f87a61109c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe

description pid process

Token: SeDebugPrivilege 3672 a28c434e703d9d0961f526f87a61109c.exe
Token: SeDebugPrivilege 972 a28c434e703d9d0961f526f87a61109c.exe

description	pid	process
Token: SeDebugPrivilege	3672	a28c434e703d9d0961f526f87a61109c.exe
Token: SeDebugPrivilege	972	a28c434e703d9d0961f526f87a61109c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a28c434e703d9d0961f526f87a61109c.exe

description	pid	process	target process
PID 3672 wrote to memory of 972	3672	a28c434e703d9d0961f526f87a61109c.exe	a28c434e703d9d0961f526f87a61109c.exe
PID 3672 wrote to memory of 972	3672	a28c434e703d9d0961f526f87a61109c.exe	a28c434e703d9d0961f526f87a61109c.exe
PID 3672 wrote to memory of 972	3672	a28c434e703d9d0961f526f87a61109c.exe	a28c434e703d9d0961f526f87a61109c.exe
PID 3672 wrote to memory of 972	3672	a28c434e703d9d0961f526f87a61109c.exe	a28c434e703d9d0961f526f87a61109c.exe
PID 3672 wrote to memory of 972	3672	a28c434e703d9d0961f526f87a61109c.exe	a28c434e703d9d0961f526f87a61109c.exe
PID 3672 wrote to memory of 972	3672	a28c434e703d9d0961f526f87a61109c.exe	a28c434e703d9d0961f526f87a61109c.exe
PID 3672 wrote to memory of 972	3672	a28c434e703d9d0961f526f87a61109c.exe	a28c434e703d9d0961f526f87a61109c.exe
PID 3672 wrote to memory of 972	3672	a28c434e703d9d0961f526f87a61109c.exe	a28c434e703d9d0961f526f87a61109c.exe

outlook_office_path 1 IoCs

Processes:

a28c434e703d9d0961f526f87a61109c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a28c434e703d9d0961f526f87a61109c.exe

outlook_win_path 1 IoCs

Processes:

a28c434e703d9d0961f526f87a61109c.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	a28c434e703d9d0961f526f87a61109c.exe

C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe
"C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672

C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe
C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a28c434e703d9d0961f526f87a61109c.exe.log
MD5
10e24c22b1795d288fb8a915db04a7f1

SHA1
595e82869944ffad9577b4927084cbf0495e6c39

SHA256
858c0144b55f4b3d33b00ec7c91c6d891ffbfcca694afd7115ce767119c9b759

SHA512
262b15d857618556aa7e0943a41698f03b5d4bd50e3cd53862f30a8dbbaca30ce7aa1cbd7baf8a5f3d046190c5be2cd8d6ad39f2842c030e2c68974a9935ab95

Download Submit
memory/972-125-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/972-133-0x0000000005F20000-0x0000000005F21000-memory.dmp

Filesize
4KB

Download
memory/972-132-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/972-131-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/972-126-0x00000000004204CE-mapping.dmp

Download
memory/3672-119-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/3672-123-0x00000000055A0000-0x00000000055BB000-memory.dmp

Filesize
108KB

Download
memory/3672-124-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/3672-122-0x0000000005570000-0x0000000005597000-memory.dmp

Filesize
156KB

Download
memory/3672-121-0x00000000052D0000-0x00000000057CE000-memory.dmp

Filesize
5.0MB

Download
memory/3672-120-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/3672-115-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3672-118-0x00000000052D0000-0x000000000534B000-memory.dmp

Filesize
492KB

Download
memory/3672-117-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads