snakekeylogger | a6a4c5aaefa51d2f614a6f21e83b64d63e29fb868c8d410dacf317ad220f774a

General

Target

7e3b08163812d6a9ff4e279058f603e5.exe
Size

388KB
MD5

7e3b08163812d6a9ff4e279058f603e5
SHA1

29a1e69c99fadc447a6958c24e45c71127e88d6b
SHA256

a6a4c5aaefa51d2f614a6f21e83b64d63e29fb868c8d410dacf317ad220f774a
SHA512

7682105ae32834638f77c1c3282bdc3eefc42d922843d12aa346f4c9b2d68269764677b29444953bbff8a9245d2c14416817e879550b170a1921d14366af492b

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.sapphireclothing.com
Port:
587
Username:
hr@sapphireclothing.com
Password:
hrSap2018

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

7e3b08163812d6a9ff4e279058f603e5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7e3b08163812d6a9ff4e279058f603e5.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7e3b08163812d6a9ff4e279058f603e5.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7e3b08163812d6a9ff4e279058f603e5.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 checkip.dyndns.org
24 freegeoip.app
25 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

7e3b08163812d6a9ff4e279058f603e5.exe

description pid process target process

PID 2728 set thread context of 924 2728 7e3b08163812d6a9ff4e279058f603e5.exe 7e3b08163812d6a9ff4e279058f603e5.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

7e3b08163812d6a9ff4e279058f603e5.exe

pid process

924 7e3b08163812d6a9ff4e279058f603e5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7e3b08163812d6a9ff4e279058f603e5.exe

description pid process

Token: SeDebugPrivilege 924 7e3b08163812d6a9ff4e279058f603e5.exe

flow	ioc
22	checkip.dyndns.org
24	freegeoip.app
25	freegeoip.app

description	pid	process	target process
PID 2728 set thread context of 924	2728	7e3b08163812d6a9ff4e279058f603e5.exe	7e3b08163812d6a9ff4e279058f603e5.exe

pid	process
924	7e3b08163812d6a9ff4e279058f603e5.exe

description	pid	process
Token: SeDebugPrivilege	924	7e3b08163812d6a9ff4e279058f603e5.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7e3b08163812d6a9ff4e279058f603e5.exe

description	pid	process	target process
PID 2728 wrote to memory of 924	2728	7e3b08163812d6a9ff4e279058f603e5.exe	7e3b08163812d6a9ff4e279058f603e5.exe
PID 2728 wrote to memory of 924	2728	7e3b08163812d6a9ff4e279058f603e5.exe	7e3b08163812d6a9ff4e279058f603e5.exe
PID 2728 wrote to memory of 924	2728	7e3b08163812d6a9ff4e279058f603e5.exe	7e3b08163812d6a9ff4e279058f603e5.exe
PID 2728 wrote to memory of 924	2728	7e3b08163812d6a9ff4e279058f603e5.exe	7e3b08163812d6a9ff4e279058f603e5.exe
PID 2728 wrote to memory of 924	2728	7e3b08163812d6a9ff4e279058f603e5.exe	7e3b08163812d6a9ff4e279058f603e5.exe
PID 2728 wrote to memory of 924	2728	7e3b08163812d6a9ff4e279058f603e5.exe	7e3b08163812d6a9ff4e279058f603e5.exe
PID 2728 wrote to memory of 924	2728	7e3b08163812d6a9ff4e279058f603e5.exe	7e3b08163812d6a9ff4e279058f603e5.exe
PID 2728 wrote to memory of 924	2728	7e3b08163812d6a9ff4e279058f603e5.exe	7e3b08163812d6a9ff4e279058f603e5.exe

outlook_office_path 1 IoCs

Processes:

7e3b08163812d6a9ff4e279058f603e5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7e3b08163812d6a9ff4e279058f603e5.exe

outlook_win_path 1 IoCs

Processes:

7e3b08163812d6a9ff4e279058f603e5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7e3b08163812d6a9ff4e279058f603e5.exe

C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe
"C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe
"C:\Users\Admin\AppData\Local\Temp\7e3b08163812d6a9ff4e279058f603e5.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7e3b08163812d6a9ff4e279058f603e5.exe.log
MD5
f1181bc4bdff57024c4121f645548332

SHA1
d431ee3a3a5afcae2c4537b1d445054a0a95f6e6

SHA256
f1a7e138b25d0cb24bb4b23bd781b0dd357afd49d45e19ffa44cdb80170336ad

SHA512
cf8059f289bcb4f33e82a2c4851fade486bd449793a39718d49bc357efd09689150aedd277c5ebcf79b5ebb4bbe36f0cbb72510a50398bee804ffd9c889604e3

Download Submit
memory/924-125-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/924-134-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/924-132-0x00000000055B0000-0x0000000005AAE000-memory.dmp

Filesize
5.0MB

Download
memory/924-126-0x000000000042052E-mapping.dmp

Download
memory/2728-119-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/2728-122-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2728-123-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/2728-124-0x0000000005CA0000-0x0000000005CEB000-memory.dmp

Filesize
300KB

Download
memory/2728-121-0x0000000005030000-0x0000000005038000-memory.dmp

Filesize
32KB

Download
memory/2728-120-0x0000000005050000-0x000000000554E000-memory.dmp

Filesize
5.0MB

Download
memory/2728-115-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2728-118-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2728-117-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads