snakekeylogger | c2186fd9dedfc7f90be64b895c2ce0ce93ae347b99de534bfc9570f9f9ad80e7

General

Target

PO#120111.exe
Size

705KB
MD5

308d21fc3085301ae679fdc305be6a7a
SHA1

10e700444d2ca58f75681953bb1a1bbb59dfb498
SHA256

c2186fd9dedfc7f90be64b895c2ce0ce93ae347b99de534bfc9570f9f9ad80e7
SHA512

984cdecca9c6dbeafa319029242ae9d5a08ce1bb38e8e612580ff96c1cd069159dc624335b33999a8e55b84e4027c7e1e96f50db4b4d90938303409f97816d45

Score

10^/10

Family

snakekeylogger

Credentials

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4900-137-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 checkip.dyndns.org
41 freegeoip.app
42 freegeoip.app
51 freegeoip.app
52 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO#120111.exe

description pid process target process

PID 3384 set thread context of 4900 3384 PO#120111.exe PO#120111.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1840 4900 WerFault.exe PO#120111.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PO#120111.exePO#120111.exe

pid process

3384 PO#120111.exe
4900 PO#120111.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO#120111.exePO#120111.exe

description pid process

Token: SeDebugPrivilege 3384 PO#120111.exe
Token: SeDebugPrivilege 4900 PO#120111.exe

description	pid	process	target process
PID 3384 set thread context of 4900	3384	PO#120111.exe	PO#120111.exe

pid	pid_target	process	target process
1840	4900	WerFault.exe	PO#120111.exe

pid	process
3384	PO#120111.exe
4900	PO#120111.exe

description	pid	process
Token: SeDebugPrivilege	3384	PO#120111.exe
Token: SeDebugPrivilege	4900	PO#120111.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

PO#120111.exe

description	pid	process	target process
PID 3384 wrote to memory of 4900	3384	PO#120111.exe	PO#120111.exe
PID 3384 wrote to memory of 4900	3384	PO#120111.exe	PO#120111.exe
PID 3384 wrote to memory of 4900	3384	PO#120111.exe	PO#120111.exe
PID 3384 wrote to memory of 4900	3384	PO#120111.exe	PO#120111.exe
PID 3384 wrote to memory of 4900	3384	PO#120111.exe	PO#120111.exe
PID 3384 wrote to memory of 4900	3384	PO#120111.exe	PO#120111.exe
PID 3384 wrote to memory of 4900	3384	PO#120111.exe	PO#120111.exe
PID 3384 wrote to memory of 4900	3384	PO#120111.exe	PO#120111.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1808
3⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 4900
1⤵
PID:3108

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#120111.exe.log
Filesize
1KB

MD5
8323fae9fbc8238dfd3efdc87ac3534c

SHA1
d88623828a38d6b528963a32902c9f336a08942e

SHA256
1ccd81d339d51696fa8569e0ea179873452e8aa087b14a397538cda74996fe00

SHA512
9a50d78360761b85c2b49fd2959744c004a74600ffef5756391fec0f02c8aafc6061a028518808693297f03e9fc65067e3d4b29d876ed70eb8e2ad9094d246c3

Download Submit
memory/3384-130-0x0000000000450000-0x0000000000506000-memory.dmp

Filesize
728KB

Download
memory/3384-131-0x00000000078B0000-0x0000000007E54000-memory.dmp

Filesize
5.6MB

Download
memory/3384-132-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/3384-133-0x0000000007380000-0x000000000738A000-memory.dmp

Filesize
40KB

Download
memory/3384-134-0x0000000007690000-0x000000000772C000-memory.dmp

Filesize
624KB

Download
memory/3384-135-0x0000000009DF0000-0x0000000009E56000-memory.dmp

Filesize
408KB

Download
memory/4900-136-0x0000000000000000-mapping.dmp

Download
memory/4900-137-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download