snakekeylogger | dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851

General

Target

PO. 4500129645.pdf.exe
Size

549KB
MD5

f7c5e33a5643b753e390d04823584f71
SHA1

62b46991b702107cd1ee9871b1c1a417a3346616
SHA256

dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851
SHA512

c871b0597199f11b5273359b5de4d314517b1c226f99542f676f61b230b35e6dc1633356fa2cf016567757ef59cb01d8f408cf542f38aa19fd1b13e00652d94a

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5392870078:AAEZf0ajeo_PMkBddeC_JE--NP4u4367N6c/sendMessage?chat_id=1856108848

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1876-67-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1876-69-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1876-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1876-71-0x000000000042039E-mapping.dmp	family_snakekeylogger
behavioral1/memory/1876-73-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1876-75-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

PO. 4500129645.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO. 4500129645.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO. 4500129645.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO. 4500129645.pdf.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO. 4500129645.pdf.exe

description pid process target process

PID 1944 set thread context of 1876 1944 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1628 schtasks.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 1944 set thread context of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe

pid	process
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PO. 4500129645.pdf.exePO. 4500129645.pdf.exepowershell.exe

pid	process
1944	PO. 4500129645.pdf.exe
1944	PO. 4500129645.pdf.exe
1944	PO. 4500129645.pdf.exe
1944	PO. 4500129645.pdf.exe
1876	PO. 4500129645.pdf.exe
1724	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO. 4500129645.pdf.exePO. 4500129645.pdf.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1944	PO. 4500129645.pdf.exe
Token: SeDebugPrivilege	1876	PO. 4500129645.pdf.exe
Token: SeDebugPrivilege	1724	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PO. 4500129645.pdf.exe

description	pid	process	target process
PID 1944 wrote to memory of 1724	1944	PO. 4500129645.pdf.exe	powershell.exe
PID 1944 wrote to memory of 1724	1944	PO. 4500129645.pdf.exe	powershell.exe
PID 1944 wrote to memory of 1724	1944	PO. 4500129645.pdf.exe	powershell.exe
PID 1944 wrote to memory of 1724	1944	PO. 4500129645.pdf.exe	powershell.exe
PID 1944 wrote to memory of 1628	1944	PO. 4500129645.pdf.exe	schtasks.exe
PID 1944 wrote to memory of 1628	1944	PO. 4500129645.pdf.exe	schtasks.exe
PID 1944 wrote to memory of 1628	1944	PO. 4500129645.pdf.exe	schtasks.exe
PID 1944 wrote to memory of 1628	1944	PO. 4500129645.pdf.exe	schtasks.exe
PID 1944 wrote to memory of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 1944 wrote to memory of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 1944 wrote to memory of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 1944 wrote to memory of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 1944 wrote to memory of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 1944 wrote to memory of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 1944 wrote to memory of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 1944 wrote to memory of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 1944 wrote to memory of 1876	1944	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe

outlook_office_path 1 IoCs

Processes:

PO. 4500129645.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO. 4500129645.pdf.exe

outlook_win_path 1 IoCs

Processes:

PO. 4500129645.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO. 4500129645.pdf.exe

C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PBsoYnOH.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PBsoYnOH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE29.tmp"
2⤵
- Creates scheduled task(s)
PID:1628

C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCE29.tmp
Filesize
1KB

MD5
3293a96f3bee20c84c5c82ad35565ecc

SHA1
be6a6b548171dfa93895c3c07d9cd82ac3354399

SHA256
90c5812524f7a897cddb41c3c67289fcb6ef981f4ad4149db61ded93b9cc8d2d

SHA512
0604474bc575472f2031cf6c187da1c6ef059cab75b7ab9367460c3b0b69069db506abbc30877906fca484da0fad74f258934f633061e102f4b687892c68b62e

Download Submit
memory/1628-59-0x0000000000000000-mapping.dmp

Download
memory/1724-58-0x0000000000000000-mapping.dmp

Download
memory/1724-77-0x000000006C4A0000-0x000000006CA4B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1876-71-0x000000000042039E-mapping.dmp

Download
memory/1876-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1876-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1876-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1876-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1876-65-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1876-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1944-54-0x00000000009E0000-0x0000000000A6E000-memory.dmp

Filesize
568KB

Download
memory/1944-63-0x0000000004F80000-0x0000000004FA6000-memory.dmp

Filesize
152KB

Download
memory/1944-57-0x00000000055F0000-0x0000000005674000-memory.dmp

Filesize
528KB

Download
memory/1944-62-0x0000000004C50000-0x0000000004C56000-memory.dmp

Filesize
24KB

Download
memory/1944-56-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/1944-55-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads