snakekeylogger | 7c9ec86bf7e62028b5a8967b2cb83020123d033ca981f6ce0193f2c5f7133b7c

General

Target

Halkbank_Ekstre_20211206_073714_893133.pdf.exe
Size

1.3MB
MD5

a79b059ad6fa9f6db6085ab511afbd68
SHA1

ae8e5c2541ff2619a6f97b81c64c27cdb00f68cc
SHA256

7c9ec86bf7e62028b5a8967b2cb83020123d033ca981f6ce0193f2c5f7133b7c
SHA512

48acbdd89b49aa7f5908c78cbdb9a03ed82f1f974c471b09d43cbed6887ca3e783934d0a5e1692eda3e2c8db0842930257cd36bbfe54a36afb74381e05b025c3

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.palladiumss.com
Port:
587
Username:
raman@palladiumss.com
Password:
raman@1210

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Halkbank_Ekstre_20211206_073714_893133.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20211206_073714_893133.pdf.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 freegeoip.app
9 freegeoip.app
4 checkip.dyndns.org

flow	ioc
8	freegeoip.app
9	freegeoip.app
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

Halkbank_Ekstre_20211206_073714_893133.pdf.exe

description	pid	process	target process
PID 1664 set thread context of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Halkbank_Ekstre_20211206_073714_893133.pdf.exe

pid process

836 Halkbank_Ekstre_20211206_073714_893133.pdf.exe

pid	process
836	Halkbank_Ekstre_20211206_073714_893133.pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Halkbank_Ekstre_20211206_073714_893133.pdf.exeHalkbank_Ekstre_20211206_073714_893133.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
Token: SeDebugPrivilege	836	Halkbank_Ekstre_20211206_073714_893133.pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Halkbank_Ekstre_20211206_073714_893133.pdf.exe

description	pid	process	target process
PID 1664 wrote to memory of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
PID 1664 wrote to memory of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
PID 1664 wrote to memory of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
PID 1664 wrote to memory of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
PID 1664 wrote to memory of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
PID 1664 wrote to memory of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
PID 1664 wrote to memory of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
PID 1664 wrote to memory of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe
PID 1664 wrote to memory of 836	1664	Halkbank_Ekstre_20211206_073714_893133.pdf.exe	Halkbank_Ekstre_20211206_073714_893133.pdf.exe

outlook_office_path 1 IoCs

Processes:

Halkbank_Ekstre_20211206_073714_893133.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20211206_073714_893133.pdf.exe

outlook_win_path 1 IoCs

Processes:

Halkbank_Ekstre_20211206_073714_893133.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20211206_073714_893133.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211206_073714_893133.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211206_073714_893133.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211206_073714_893133.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211206_073714_893133.pdf.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/836-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/836-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/836-62-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/836-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/836-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/836-65-0x000000000042043E-mapping.dmp

Download
memory/836-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/836-68-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1664-55-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/1664-57-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/1664-58-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/1664-59-0x0000000007AC0000-0x0000000007BCA000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads