snakekeylogger | 3f21db9d14aeead42447a3da72e51971ff0eaf006919824b02416bc0943ad551

General

Target

Dekont Swift Mesaji.exe
Size

970KB
MD5

7dd3654a64ae8c4b4a1b34376ca00e97
SHA1

cf22f0375784b414f4ffd3c8044d7d9aad0c78da
SHA256

3f21db9d14aeead42447a3da72e51971ff0eaf006919824b02416bc0943ad551
SHA512

962b58e2f1ef564964f19c6500489a6ffa6dc22b67128dbf8ba1e8c64a60dbea4162be57c65f3fd93b5e8cc05857a9a212bcaa4c4730fe2b4a155083932a5f29

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.eriminsaat.com.tr
Port:
587
Username:
ercanerol@eriminsaat.com.tr
Password:
ercan932016erim

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Dekont Swift Mesaji.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Dekont Swift Mesaji.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Dekont Swift Mesaji.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Dekont Swift Mesaji.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

31 freegeoip.app
27 checkip.dyndns.org
30 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

Dekont Swift Mesaji.exe

description pid process target process

PID 4208 set thread context of 3192 4208 Dekont Swift Mesaji.exe Dekont Swift Mesaji.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Dekont Swift Mesaji.exeDekont Swift Mesaji.exe

pid process

4208 Dekont Swift Mesaji.exe
4208 Dekont Swift Mesaji.exe
3192 Dekont Swift Mesaji.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Dekont Swift Mesaji.exeDekont Swift Mesaji.exe

description pid process

Token: SeDebugPrivilege 4208 Dekont Swift Mesaji.exe
Token: SeDebugPrivilege 3192 Dekont Swift Mesaji.exe

flow	ioc
31	freegeoip.app
27	checkip.dyndns.org
30	freegeoip.app

description	pid	process	target process
PID 4208 set thread context of 3192	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe

pid	process
4208	Dekont Swift Mesaji.exe
4208	Dekont Swift Mesaji.exe
3192	Dekont Swift Mesaji.exe

description	pid	process
Token: SeDebugPrivilege	4208	Dekont Swift Mesaji.exe
Token: SeDebugPrivilege	3192	Dekont Swift Mesaji.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Dekont Swift Mesaji.exe

description	pid	process	target process
PID 4208 wrote to memory of 4560	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 4560	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 4560	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 3192	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 3192	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 3192	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 3192	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 3192	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 3192	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 3192	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe
PID 4208 wrote to memory of 3192	4208	Dekont Swift Mesaji.exe	Dekont Swift Mesaji.exe

outlook_office_path 1 IoCs

Processes:

Dekont Swift Mesaji.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Dekont Swift Mesaji.exe

outlook_win_path 1 IoCs

Processes:

Dekont Swift Mesaji.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Dekont Swift Mesaji.exe

C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208

C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe"
2⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont Swift Mesaji.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dekont Swift Mesaji.exe.log
MD5
f1181bc4bdff57024c4121f645548332

SHA1
d431ee3a3a5afcae2c4537b1d445054a0a95f6e6

SHA256
f1a7e138b25d0cb24bb4b23bd781b0dd357afd49d45e19ffa44cdb80170336ad

SHA512
cf8059f289bcb4f33e82a2c4851fade486bd449793a39718d49bc357efd09689150aedd277c5ebcf79b5ebb4bbe36f0cbb72510a50398bee804ffd9c889604e3

Download Submit
memory/3192-128-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3192-137-0x00000000050C0000-0x00000000055BE000-memory.dmp

Filesize
5.0MB

Download
memory/3192-135-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/3192-129-0x000000000042046E-mapping.dmp

Download
memory/4208-122-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4208-125-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/4208-126-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/4208-127-0x0000000007B60000-0x0000000007C6A000-memory.dmp

Filesize
1.0MB

Download
memory/4208-124-0x00000000053B0000-0x00000000053B5000-memory.dmp

Filesize
20KB

Download
memory/4208-123-0x0000000005190000-0x000000000568E000-memory.dmp

Filesize
5.0MB

Download
memory/4208-118-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4208-121-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4208-120-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads