snakekeylogger | bfc94f0bd631a75dca96329c99631b3d7a6f6152974b091d280a8f77ddd88e15

General

Target

filezx.exe
Size

379KB
MD5

7e439c7f9636682598cb3438da45ebe9
SHA1

1033a94c129f60d5ef3915f0f8f1a9882eb4c845
SHA256

bfc94f0bd631a75dca96329c99631b3d7a6f6152974b091d280a8f77ddd88e15
SHA512

deebc13f38f464d6a3a660391cc70d30e774618c89604559354b393317b35eaae6b871718d86dd22d9a5efa5e9abc09fa9867aea740998fe7b985048a52c8cb9

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.twinarrow.com.my
Port:
587
Username:
account@twinarrow.com.my
Password:
accountaccount123@
Email To:
toniclinton33@gmail.com

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1952-102-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1952-104-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1952-106-0x00000000004202CE-mapping.dmp	family_snakekeylogger
behavioral1/memory/1952-105-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1952-108-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1952-110-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

filezx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	filezx.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	filezx.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	filezx.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

filezx.exe

description pid process target process

PID 1704 set thread context of 1952 1704 filezx.exe filezx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 1704 set thread context of 1952	1704	filezx.exe	filezx.exe

Delays execution with timeout.exe 20 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1440	timeout.exe
664	timeout.exe
1620	timeout.exe
1768	timeout.exe
1976	timeout.exe
552	timeout.exe
2016	timeout.exe
1972	timeout.exe
2020	timeout.exe
1972	timeout.exe
1628	timeout.exe
1344	timeout.exe
1776	timeout.exe
1056	timeout.exe
1668	timeout.exe
972	timeout.exe
1568	timeout.exe
1748	timeout.exe
1060	timeout.exe
524	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

filezx.exefilezx.exe

pid process

1704 filezx.exe
1952 filezx.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

filezx.exefilezx.exe

description pid process

Token: SeDebugPrivilege 1704 filezx.exe
Token: SeDebugPrivilege 1952 filezx.exe

pid	process
1704	filezx.exe
1952	filezx.exe

description	pid	process
Token: SeDebugPrivilege	1704	filezx.exe
Token: SeDebugPrivilege	1952	filezx.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

filezx.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1704 wrote to memory of 2036	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 2036	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 2036	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 2036	1704	filezx.exe	cmd.exe
PID 2036 wrote to memory of 2020	2036	cmd.exe	timeout.exe
PID 2036 wrote to memory of 2020	2036	cmd.exe	timeout.exe
PID 2036 wrote to memory of 2020	2036	cmd.exe	timeout.exe
PID 2036 wrote to memory of 2020	2036	cmd.exe	timeout.exe
PID 1704 wrote to memory of 1884	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 1884	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 1884	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 1884	1704	filezx.exe	cmd.exe
PID 1884 wrote to memory of 1972	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 1972	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 1972	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 1972	1884	cmd.exe	timeout.exe
PID 1704 wrote to memory of 936	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 936	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 936	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 936	1704	filezx.exe	cmd.exe
PID 936 wrote to memory of 1776	936	cmd.exe	timeout.exe
PID 936 wrote to memory of 1776	936	cmd.exe	timeout.exe
PID 936 wrote to memory of 1776	936	cmd.exe	timeout.exe
PID 936 wrote to memory of 1776	936	cmd.exe	timeout.exe
PID 1704 wrote to memory of 812	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 812	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 812	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 812	1704	filezx.exe	cmd.exe
PID 812 wrote to memory of 1748	812	cmd.exe	timeout.exe
PID 812 wrote to memory of 1748	812	cmd.exe	timeout.exe
PID 812 wrote to memory of 1748	812	cmd.exe	timeout.exe
PID 812 wrote to memory of 1748	812	cmd.exe	timeout.exe
PID 1704 wrote to memory of 240	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 240	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 240	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 240	1704	filezx.exe	cmd.exe
PID 240 wrote to memory of 1060	240	cmd.exe	timeout.exe
PID 240 wrote to memory of 1060	240	cmd.exe	timeout.exe
PID 240 wrote to memory of 1060	240	cmd.exe	timeout.exe
PID 240 wrote to memory of 1060	240	cmd.exe	timeout.exe
PID 1704 wrote to memory of 840	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 840	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 840	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 840	1704	filezx.exe	cmd.exe
PID 840 wrote to memory of 1056	840	cmd.exe	timeout.exe
PID 840 wrote to memory of 1056	840	cmd.exe	timeout.exe
PID 840 wrote to memory of 1056	840	cmd.exe	timeout.exe
PID 840 wrote to memory of 1056	840	cmd.exe	timeout.exe
PID 1704 wrote to memory of 1920	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 1920	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 1920	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 1920	1704	filezx.exe	cmd.exe
PID 1920 wrote to memory of 524	1920	cmd.exe	timeout.exe
PID 1920 wrote to memory of 524	1920	cmd.exe	timeout.exe
PID 1920 wrote to memory of 524	1920	cmd.exe	timeout.exe
PID 1920 wrote to memory of 524	1920	cmd.exe	timeout.exe
PID 1704 wrote to memory of 996	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 996	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 996	1704	filezx.exe	cmd.exe
PID 1704 wrote to memory of 996	1704	filezx.exe	cmd.exe
PID 996 wrote to memory of 1628	996	cmd.exe	timeout.exe
PID 996 wrote to memory of 1628	996	cmd.exe	timeout.exe
PID 996 wrote to memory of 1628	996	cmd.exe	timeout.exe
PID 996 wrote to memory of 1628	996	cmd.exe	timeout.exe

outlook_office_path 1 IoCs

Processes:

filezx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	filezx.exe

outlook_win_path 1 IoCs

Processes:

filezx.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	filezx.exe

C:\Users\Admin\AppData\Local\Temp\filezx.exe
"C:\Users\Admin\AppData\Local\Temp\filezx.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:436

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:1160

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:652

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:1364

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:456

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:1280

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:2000

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:940

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:1880

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:324

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:1556

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:1440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 1
2⤵
PID:1572

C:\Windows\SysWOW64\timeout.exe
timeout /t 1
3⤵
- Delays execution with timeout.exe
PID:664

C:\Users\Admin\AppData\Local\Temp\filezx.exe
C:\Users\Admin\AppData\Local\Temp\filezx.exe
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-64-0x0000000000000000-mapping.dmp

Download
memory/324-90-0x0000000000000000-mapping.dmp

Download
memory/436-72-0x0000000000000000-mapping.dmp

Download
memory/456-80-0x0000000000000000-mapping.dmp

Download
memory/524-69-0x0000000000000000-mapping.dmp

Download
memory/552-79-0x0000000000000000-mapping.dmp

Download
memory/652-76-0x0000000000000000-mapping.dmp

Download
memory/664-95-0x0000000000000000-mapping.dmp

Download
memory/812-62-0x0000000000000000-mapping.dmp

Download
memory/840-66-0x0000000000000000-mapping.dmp

Download
memory/936-60-0x0000000000000000-mapping.dmp

Download
memory/940-86-0x0000000000000000-mapping.dmp

Download
memory/972-73-0x0000000000000000-mapping.dmp

Download
memory/996-70-0x0000000000000000-mapping.dmp

Download
memory/1056-67-0x0000000000000000-mapping.dmp

Download
memory/1060-65-0x0000000000000000-mapping.dmp

Download
memory/1160-74-0x0000000000000000-mapping.dmp

Download
memory/1280-82-0x0000000000000000-mapping.dmp

Download
memory/1344-77-0x0000000000000000-mapping.dmp

Download
memory/1364-78-0x0000000000000000-mapping.dmp

Download
memory/1440-93-0x0000000000000000-mapping.dmp

Download
memory/1556-92-0x0000000000000000-mapping.dmp

Download
memory/1568-91-0x0000000000000000-mapping.dmp

Download
memory/1572-94-0x0000000000000000-mapping.dmp

Download
memory/1620-81-0x0000000000000000-mapping.dmp

Download
memory/1628-71-0x0000000000000000-mapping.dmp

Download
memory/1668-75-0x0000000000000000-mapping.dmp

Download
memory/1704-96-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/1704-98-0x0000000000CF0000-0x0000000000D3C000-memory.dmp

Filesize
304KB

Download
memory/1704-97-0x00000000006A0000-0x00000000006D6000-memory.dmp

Filesize
216KB

Download
memory/1704-55-0x00000000755B1000-0x00000000755B3000-memory.dmp

Filesize
8KB

Download
memory/1704-54-0x0000000001270000-0x00000000012D4000-memory.dmp

Filesize
400KB

Download
memory/1748-63-0x0000000000000000-mapping.dmp

Download
memory/1768-87-0x0000000000000000-mapping.dmp

Download
memory/1776-61-0x0000000000000000-mapping.dmp

Download
memory/1880-88-0x0000000000000000-mapping.dmp

Download
memory/1884-58-0x0000000000000000-mapping.dmp

Download
memory/1920-68-0x0000000000000000-mapping.dmp

Download
memory/1952-110-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1952-105-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1952-108-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1952-99-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1952-100-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1952-102-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1952-104-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1952-106-0x00000000004202CE-mapping.dmp

Download
memory/1972-59-0x0000000000000000-mapping.dmp

Download
memory/1972-85-0x0000000000000000-mapping.dmp

Download
memory/1976-89-0x0000000000000000-mapping.dmp

Download
memory/2000-84-0x0000000000000000-mapping.dmp

Download
memory/2016-83-0x0000000000000000-mapping.dmp

Download
memory/2020-57-0x0000000000000000-mapping.dmp

Download
memory/2036-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads