snakekeylogger | dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851

General

Target

PO. 4500129645.pdf.exe
Size

549KB
MD5

f7c5e33a5643b753e390d04823584f71
SHA1

62b46991b702107cd1ee9871b1c1a417a3346616
SHA256

dee9479a27f8281c61fa8e25f006e01087e5dabad181cdb262bd8e9f4696e851
SHA512

c871b0597199f11b5273359b5de4d314517b1c226f99542f676f61b230b35e6dc1633356fa2cf016567757ef59cb01d8f408cf542f38aa19fd1b13e00652d94a

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5392870078:AAEZf0ajeo_PMkBddeC_JE--NP4u4367N6c/sendMessage?chat_id=1856108848

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3908-142-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PO. 4500129645.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	PO. 4500129645.pdf.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO. 4500129645.pdf.exe

description pid process target process

PID 432 set thread context of 3908 432 PO. 4500129645.pdf.exe PO. 4500129645.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4920 3908 WerFault.exe PO. 4500129645.pdf.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1076 schtasks.exe

flow	ioc
43	checkip.dyndns.org

description	pid	process	target process
PID 432 set thread context of 3908	432	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe

pid	pid_target	process	target process
4920	3908	WerFault.exe	PO. 4500129645.pdf.exe

pid	process
1076	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

PO. 4500129645.pdf.exePO. 4500129645.pdf.exepowershell.exe

pid	process
432	PO. 4500129645.pdf.exe
432	PO. 4500129645.pdf.exe
432	PO. 4500129645.pdf.exe
432	PO. 4500129645.pdf.exe
432	PO. 4500129645.pdf.exe
432	PO. 4500129645.pdf.exe
432	PO. 4500129645.pdf.exe
3908	PO. 4500129645.pdf.exe
2184	powershell.exe
2184	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO. 4500129645.pdf.exePO. 4500129645.pdf.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	432	PO. 4500129645.pdf.exe
Token: SeDebugPrivilege	3908	PO. 4500129645.pdf.exe
Token: SeDebugPrivilege	2184	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PO. 4500129645.pdf.exe

description	pid	process	target process
PID 432 wrote to memory of 2184	432	PO. 4500129645.pdf.exe	powershell.exe
PID 432 wrote to memory of 2184	432	PO. 4500129645.pdf.exe	powershell.exe
PID 432 wrote to memory of 2184	432	PO. 4500129645.pdf.exe	powershell.exe
PID 432 wrote to memory of 1076	432	PO. 4500129645.pdf.exe	schtasks.exe
PID 432 wrote to memory of 1076	432	PO. 4500129645.pdf.exe	schtasks.exe
PID 432 wrote to memory of 1076	432	PO. 4500129645.pdf.exe	schtasks.exe
PID 432 wrote to memory of 3908	432	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 432 wrote to memory of 3908	432	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 432 wrote to memory of 3908	432	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 432 wrote to memory of 3908	432	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 432 wrote to memory of 3908	432	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 432 wrote to memory of 3908	432	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 432 wrote to memory of 3908	432	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe
PID 432 wrote to memory of 3908	432	PO. 4500129645.pdf.exe	PO. 4500129645.pdf.exe

C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PBsoYnOH.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PBsoYnOH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmp"
2⤵
- Creates scheduled task(s)
PID:1076

C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO. 4500129645.pdf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1476
3⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908
1⤵
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO. 4500129645.pdf.exe.log
Filesize
1KB

MD5
8323fae9fbc8238dfd3efdc87ac3534c

SHA1
d88623828a38d6b528963a32902c9f336a08942e

SHA256
1ccd81d339d51696fa8569e0ea179873452e8aa087b14a397538cda74996fe00

SHA512
9a50d78360761b85c2b49fd2959744c004a74600ffef5756391fec0f02c8aafc6061a028518808693297f03e9fc65067e3d4b29d876ed70eb8e2ad9094d246c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18E2.tmp
Filesize
1KB

MD5
d1a49647afa03f370e30e335fd5c5862

SHA1
8e0b3227b9e9fddedf7d0d1d4916ffab9d5a71ae

SHA256
f8040e2e72a118eecf02f552a2d441c93a654d9c7676adf3ffd0e6031444fc80

SHA512
ae98b79d872eb2b2fdec3572a3e1cba89661ec6e70bfe11a85030e7fb144df504989042311e7177708982ed2c3f77b798412bbef5663a81d92da85a5bcbb6341

Download Submit
memory/432-131-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download
memory/432-132-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/432-133-0x0000000004D10000-0x0000000004D1A000-memory.dmp

Filesize
40KB

Download
memory/432-134-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/432-135-0x0000000007900000-0x0000000007966000-memory.dmp

Filesize
408KB

Download
memory/432-130-0x00000000002E0000-0x000000000036E000-memory.dmp

Filesize
568KB

Download
memory/1076-137-0x0000000000000000-mapping.dmp

Download
memory/2184-148-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

Filesize
304KB

Download
memory/2184-136-0x0000000000000000-mapping.dmp

Download
memory/2184-156-0x00000000077E0000-0x00000000077E8000-memory.dmp

Filesize
32KB

Download
memory/2184-155-0x0000000007800000-0x000000000781A000-memory.dmp

Filesize
104KB

Download
memory/2184-138-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/2184-144-0x00000000052E0000-0x0000000005302000-memory.dmp

Filesize
136KB

Download
memory/2184-145-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/2184-146-0x00000000060A0000-0x00000000060BE000-memory.dmp

Filesize
120KB

Download
memory/2184-147-0x0000000006780000-0x00000000067B2000-memory.dmp

Filesize
200KB

Download
memory/2184-140-0x00000000054D0000-0x0000000005AF8000-memory.dmp

Filesize
6.2MB

Download
memory/2184-149-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/2184-150-0x0000000007B00000-0x000000000817A000-memory.dmp

Filesize
6.5MB

Download
memory/2184-151-0x00000000074C0000-0x00000000074DA000-memory.dmp

Filesize
104KB

Download
memory/2184-152-0x0000000007530000-0x000000000753A000-memory.dmp

Filesize
40KB

Download
memory/2184-153-0x0000000007740000-0x00000000077D6000-memory.dmp

Filesize
600KB

Download
memory/2184-154-0x0000000006210000-0x000000000621E000-memory.dmp

Filesize
56KB

Download
memory/3908-142-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3908-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads