snakekeylogger | caa0fa101c0ee313ae591239f18dcd8fc37cb235af7dfb2e9de350d7f448d34b

General

Target

2098765234567890987660.E.exe
Size

759KB
MD5

bbbf28c148eb325812183d91d8e8a239
SHA1

ba7612abff608b6dd038acfb43a31741329e007c
SHA256

caa0fa101c0ee313ae591239f18dcd8fc37cb235af7dfb2e9de350d7f448d34b
SHA512

852c5aedfc4090559d50ea136aeb6270308766585acb49054f64c570af1011e26b295d681064cbe00d227b3d4dbfd0cc2a34d1113052eb5cc097dbde925978bc

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/488-119-0x0000000000400000-0x000000000048B000-memory.dmp	family_snakekeylogger
behavioral2/memory/488-120-0x000000000040188B-mapping.dmp	family_snakekeylogger
behavioral2/memory/488-121-0x0000000000400000-0x000000000048B000-memory.dmp	family_snakekeylogger

Loads dropped DLL 1 IoCs

Processes:

2098765234567890987660.E.exe

pid process

4052 2098765234567890987660.E.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4052	2098765234567890987660.E.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

2098765234567890987660.E.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2098765234567890987660.E.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2098765234567890987660.E.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2098765234567890987660.E.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

2098765234567890987660.E.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	2098765234567890987660.E.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2098765234567890987660.E.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 checkip.dyndns.org
20 freegeoip.app
21 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

2098765234567890987660.E.exe

description pid process target process

PID 4052 set thread context of 488 4052 2098765234567890987660.E.exe 2098765234567890987660.E.exe

flow	ioc
18	checkip.dyndns.org
20	freegeoip.app
21	freegeoip.app

description	pid	process	target process
PID 4052 set thread context of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe

Drops file in Windows directory 3 IoCs

Processes:

2098765234567890987660.E.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	2098765234567890987660.E.exe
File created	C:\Windows\assembly\Desktop.ini	2098765234567890987660.E.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2098765234567890987660.E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2098765234567890987660.E.exe

pid process

488 2098765234567890987660.E.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2098765234567890987660.E.exe

description pid process

Token: SeDebugPrivilege 488 2098765234567890987660.E.exe

pid	process
488	2098765234567890987660.E.exe

description	pid	process
Token: SeDebugPrivilege	488	2098765234567890987660.E.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2098765234567890987660.E.exe

description	pid	process	target process
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe
PID 4052 wrote to memory of 488	4052	2098765234567890987660.E.exe	2098765234567890987660.E.exe

outlook_office_path 1 IoCs

Processes:

2098765234567890987660.E.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2098765234567890987660.E.exe

outlook_win_path 1 IoCs

Processes:

2098765234567890987660.E.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2098765234567890987660.E.exe

C:\Users\Admin\AppData\Local\Temp\2098765234567890987660.E.exe
"C:\Users\Admin\AppData\Local\Temp\2098765234567890987660.E.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\2098765234567890987660.E.exe
  "C:\Users\Admin\AppData\Local\Temp\2098765234567890987660.E.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsu90E7.tmp\gotnxdaktoc.dll

MD5
48ec27c77c23413f4e11e531b775542f

SHA1
46fdd7b618bf1abea37a04a38f72664db65dba97

SHA256
ff894568ef9ab2d4bffa5b9c4d67460c292d74e921090395cb4b4812c4146c9c

SHA512
2f0a89c420bb89e4546313709e2ba735252f839f069cb8510101bff9875ecb85206e9e77993c890fb7495bb557b81a4d149ae9a61f50b3513211b3f5aa6e5e3d

Download Submit
memory/488-119-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/488-120-0x000000000040188B-mapping.dmp

Download
memory/488-122-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/488-121-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/488-124-0x0000000002222000-0x0000000002224000-memory.dmp

Filesize
8KB

Download
memory/488-123-0x0000000002221000-0x0000000002222000-memory.dmp

Filesize
4KB

Download
memory/488-125-0x0000000002227000-0x0000000002228000-memory.dmp

Filesize
4KB

Download
memory/488-126-0x0000000002228000-0x0000000002229000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads