snakekeylogger | a5f3c49331caf70461e36db7db7dc0d6ebeb8dcfc06a5d5a747681fb75ae9a50

General

Target

tmp.exe
Size

433KB
MD5

a359ed6ff4218c76aedfbc4e7bf21f8e
SHA1

348741f5e4239294319343588bb782f253ab654d
SHA256

a5f3c49331caf70461e36db7db7dc0d6ebeb8dcfc06a5d5a747681fb75ae9a50
SHA512

4fbc20666bd5202a50ee04efed6afaddfb5c93d39d65b26d51987fd84b745102718f674252e7477301d637db2ffaefcfc920b0420cad9aaebb3ce080247f4730

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
cp5ua.hyperhost.ua
Port:
587
Username:
wealthlog@saonline.xyz
Password:
7213575aceACE@#$
Email To:
wealth@saonline.xyz

C2

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1764-65-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1764-67-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1764-68-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1764-69-0x00000000004203EE-mapping.dmp	family_snakekeylogger
behavioral1/memory/1764-73-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1764-71-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1276 set thread context of 1764 1276 tmp.exe tmp.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

560 1764 WerFault.exe tmp.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tmp.exe

pid process

1764 tmp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tmp.exe

description pid process

Token: SeDebugPrivilege 1764 tmp.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 1276 set thread context of 1764	1276	tmp.exe	tmp.exe

pid	pid_target	process	target process
560	1764	WerFault.exe	tmp.exe

pid	process
1764	tmp.exe

description	pid	process
Token: SeDebugPrivilege	1764	tmp.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

tmp.exetmp.exe

description	pid	process	target process
PID 1276 wrote to memory of 1764	1276	tmp.exe	tmp.exe
PID 1276 wrote to memory of 1764	1276	tmp.exe	tmp.exe
PID 1276 wrote to memory of 1764	1276	tmp.exe	tmp.exe
PID 1276 wrote to memory of 1764	1276	tmp.exe	tmp.exe
PID 1276 wrote to memory of 1764	1276	tmp.exe	tmp.exe
PID 1276 wrote to memory of 1764	1276	tmp.exe	tmp.exe
PID 1276 wrote to memory of 1764	1276	tmp.exe	tmp.exe
PID 1276 wrote to memory of 1764	1276	tmp.exe	tmp.exe
PID 1276 wrote to memory of 1764	1276	tmp.exe	tmp.exe
PID 1764 wrote to memory of 560	1764	tmp.exe	WerFault.exe
PID 1764 wrote to memory of 560	1764	tmp.exe	WerFault.exe
PID 1764 wrote to memory of 560	1764	tmp.exe	WerFault.exe
PID 1764 wrote to memory of 560	1764	tmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1100
3⤵
- Program crash
PID:560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-75-0x0000000000000000-mapping.dmp

Download
memory/1276-55-0x0000000076C01000-0x0000000076C03000-memory.dmp

Filesize
8KB

Download
memory/1276-56-0x0000000004B65000-0x0000000004B76000-memory.dmp

Filesize
68KB

Download
memory/1276-57-0x0000000000710000-0x0000000000726000-memory.dmp

Filesize
88KB

Download
memory/1276-58-0x0000000004B65000-0x0000000004B76000-memory.dmp

Filesize
68KB

Download
memory/1276-59-0x0000000000720000-0x000000000072A000-memory.dmp

Filesize
40KB

Download
memory/1276-60-0x0000000004C80000-0x0000000004CDE000-memory.dmp

Filesize
376KB

Download
memory/1276-61-0x00000000040D0000-0x00000000040F6000-memory.dmp

Filesize
152KB

Download
memory/1276-54-0x0000000000870000-0x00000000008E2000-memory.dmp

Filesize
456KB

Download
memory/1764-62-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1764-65-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1764-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1764-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1764-69-0x00000000004203EE-mapping.dmp

Download
memory/1764-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1764-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1764-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing