snakekeylogger | 39169117bfbe15a6b58f91a5dd98809ba251cef0f103656ba9d2168baf9052e2

General

Target

RFQ2022-7-5F3435.exe
Size

135KB
MD5

583fd649413705044c36439ffa27afe0
SHA1

37ccdfbf77338199a059840827a0a0bfb31cc095
SHA256

39169117bfbe15a6b58f91a5dd98809ba251cef0f103656ba9d2168baf9052e2
SHA512

4bb4dd3ea197fa2dcfe153fe83b21141989fd90d6b377c480e4229540f079722ec5f32fb2549f527edc322400eaa2624e4ff5e40237b36472c11a28c771b1d30

Score

10^/10

snakekeylogger warzonerat collection infostealer keylogger rat spyware stealer upx

Malware Config

Extracted

Family

warzonerat

C2

76.8.53.133:443

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3148-130-0x0000000000660000-0x00000000006BA000-memory.dmp	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE	family_snakekeylogger
behavioral2/memory/3148-137-0x0000000000660000-0x00000000006BA000-memory.dmp	family_snakekeylogger
behavioral2/memory/2368-138-0x0000000000C10000-0x0000000000C36000-memory.dmp	family_snakekeylogger

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 3 IoCs

Processes:

NKECHI.EXENOW.EXEimages.exe

pid process

2368 NKECHI.EXE
4368 NOW.EXE
4116 images.exe

pid	process
2368	NKECHI.EXE
4368	NOW.EXE
4116	images.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3148-130-0x0000000000660000-0x00000000006BA000-memory.dmp	upx
behavioral2/memory/3148-137-0x0000000000660000-0x00000000006BA000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ2022-7-5F3435.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	RFQ2022-7-5F3435.exe

Drops startup file 2 IoCs

Processes:

NOW.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	NOW.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	NOW.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

NKECHI.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NKECHI.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NKECHI.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NKECHI.EXE

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
NTFS ADS 1 IoCs

Processes:

NOW.EXE

description ioc process

File created C:\ProgramData:ApplicationData NOW.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

NKECHI.EXEpowershell.exepowershell.exe

pid process

2368 NKECHI.EXE
3168 powershell.exe
3168 powershell.exe
2260 powershell.exe
2260 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

NKECHI.EXEpowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2368 NKECHI.EXE
Token: SeDebugPrivilege 3168 powershell.exe
Token: SeDebugPrivilege 2260 powershell.exe

flow	ioc
4	checkip.dyndns.org

description	ioc	process
File created	C:\ProgramData:ApplicationData	NOW.EXE

pid	process
2368	NKECHI.EXE
3168	powershell.exe
3168	powershell.exe
2260	powershell.exe
2260	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2368	NKECHI.EXE
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

RFQ2022-7-5F3435.exeNOW.EXEcmd.exeimages.exe

description	pid	process	target process
PID 3148 wrote to memory of 2368	3148	RFQ2022-7-5F3435.exe	NKECHI.EXE
PID 3148 wrote to memory of 2368	3148	RFQ2022-7-5F3435.exe	NKECHI.EXE
PID 3148 wrote to memory of 2368	3148	RFQ2022-7-5F3435.exe	NKECHI.EXE
PID 3148 wrote to memory of 4368	3148	RFQ2022-7-5F3435.exe	NOW.EXE
PID 3148 wrote to memory of 4368	3148	RFQ2022-7-5F3435.exe	NOW.EXE
PID 3148 wrote to memory of 4368	3148	RFQ2022-7-5F3435.exe	NOW.EXE
PID 4368 wrote to memory of 3168	4368	NOW.EXE	powershell.exe
PID 4368 wrote to memory of 3168	4368	NOW.EXE	powershell.exe
PID 4368 wrote to memory of 3168	4368	NOW.EXE	powershell.exe
PID 4368 wrote to memory of 4028	4368	NOW.EXE	cmd.exe
PID 4368 wrote to memory of 4028	4368	NOW.EXE	cmd.exe
PID 4368 wrote to memory of 4028	4368	NOW.EXE	cmd.exe
PID 4368 wrote to memory of 4116	4368	NOW.EXE	images.exe
PID 4368 wrote to memory of 4116	4368	NOW.EXE	images.exe
PID 4368 wrote to memory of 4116	4368	NOW.EXE	images.exe
PID 4028 wrote to memory of 3508	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 3508	4028	cmd.exe	reg.exe
PID 4028 wrote to memory of 3508	4028	cmd.exe	reg.exe
PID 4116 wrote to memory of 2260	4116	images.exe	powershell.exe
PID 4116 wrote to memory of 2260	4116	images.exe	powershell.exe
PID 4116 wrote to memory of 2260	4116	images.exe	powershell.exe
PID 4116 wrote to memory of 1328	4116	images.exe	cmd.exe
PID 4116 wrote to memory of 1328	4116	images.exe	cmd.exe
PID 4116 wrote to memory of 1328	4116	images.exe	cmd.exe
PID 4116 wrote to memory of 1328	4116	images.exe	cmd.exe
PID 4116 wrote to memory of 1328	4116	images.exe	cmd.exe

outlook_office_path 1 IoCs

Processes:

NKECHI.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NKECHI.EXE

outlook_win_path 1 IoCs

Processes:

NKECHI.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NKECHI.EXE

C:\Users\Admin\AppData\Local\Temp\RFQ2022-7-5F3435.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ2022-7-5F3435.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE
"C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2368

C:\Users\Admin\AppData\Local\Temp\NOW.EXE
"C:\Users\Admin\AppData\Local\Temp\NOW.EXE"
2⤵
- Executes dropped EXE
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
4⤵
PID:3508

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\images.exe
Filesize
152KB

MD5
60e722a4557ef4f8e1fef473a0c93069

SHA1
d3bced98c0f2c70da11812b6459de9bb047c100b

SHA256
225acd3495e4a646d89eded5da13d17ea0275d5ab64bb4d02ce555317fa11c1e

SHA512
1ad00e32686c7b80f7edd5743510cc2e897ed0adfb89760b3ce1340ee218d6280df78ed7bb38e2ddd051782a69044372b31b060496514a860a54719b87951127

Download Submit
C:\ProgramData\images.exe
Filesize
152KB

MD5
60e722a4557ef4f8e1fef473a0c93069

SHA1
d3bced98c0f2c70da11812b6459de9bb047c100b

SHA256
225acd3495e4a646d89eded5da13d17ea0275d5ab64bb4d02ce555317fa11c1e

SHA512
1ad00e32686c7b80f7edd5743510cc2e897ed0adfb89760b3ce1340ee218d6280df78ed7bb38e2ddd051782a69044372b31b060496514a860a54719b87951127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
033440019410265afc2710c1dee8e90b

SHA1
8349478547befa44e30d362b84ba6e5991a1aceb

SHA256
22609ded3c248e4be06df2ec6edb978fcaa5513b00620c66869aac682853cd79

SHA512
e9ca2bdab74d07e8b12e19febffa583ea4841c4cd4b49d7ac8f199c3a485c2b8ccb8353e018f8102592d84018e78cd2dd7a0c34b4352b978f99f0741a8036c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE
Filesize
126KB

MD5
5b64a6d15cd34ba72ac8d6138998ce5f

SHA1
c386ca8ee2d19555aeeef47c333fb23715261422

SHA256
d959565da818ec61a894f8952de90f39f7fc9f6b4f525052736c4c976bc17f67

SHA512
32acad2d6fdb10de7c8527b145a6c834932b342e69f1b86ae70056d4fdfd50f7e7284bfa2ae10ad62ec825ab963eb34692244588669bd96ef818a39519cc9972

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKECHI.EXE
Filesize
126KB

MD5
5b64a6d15cd34ba72ac8d6138998ce5f

SHA1
c386ca8ee2d19555aeeef47c333fb23715261422

SHA256
d959565da818ec61a894f8952de90f39f7fc9f6b4f525052736c4c976bc17f67

SHA512
32acad2d6fdb10de7c8527b145a6c834932b342e69f1b86ae70056d4fdfd50f7e7284bfa2ae10ad62ec825ab963eb34692244588669bd96ef818a39519cc9972

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOW.EXE
Filesize
152KB

MD5
60e722a4557ef4f8e1fef473a0c93069

SHA1
d3bced98c0f2c70da11812b6459de9bb047c100b

SHA256
225acd3495e4a646d89eded5da13d17ea0275d5ab64bb4d02ce555317fa11c1e

SHA512
1ad00e32686c7b80f7edd5743510cc2e897ed0adfb89760b3ce1340ee218d6280df78ed7bb38e2ddd051782a69044372b31b060496514a860a54719b87951127

Download Submit
C:\Users\Admin\AppData\Local\Temp\NOW.EXE
Filesize
152KB

MD5
60e722a4557ef4f8e1fef473a0c93069

SHA1
d3bced98c0f2c70da11812b6459de9bb047c100b

SHA256
225acd3495e4a646d89eded5da13d17ea0275d5ab64bb4d02ce555317fa11c1e

SHA512
1ad00e32686c7b80f7edd5743510cc2e897ed0adfb89760b3ce1340ee218d6280df78ed7bb38e2ddd051782a69044372b31b060496514a860a54719b87951127

Download Submit
memory/1328-157-0x0000000000000000-mapping.dmp

Download
memory/1328-158-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/2260-156-0x0000000000000000-mapping.dmp

Download
memory/2260-169-0x0000000007B40000-0x0000000007B48000-memory.dmp

Filesize
32KB

Download
memory/2260-168-0x0000000007B60000-0x0000000007B7A000-memory.dmp

Filesize
104KB

Download
memory/2260-165-0x000000006FC10000-0x000000006FC5C000-memory.dmp

Filesize
304KB

Download
memory/2368-140-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/2368-139-0x00000000059F0000-0x0000000005F94000-memory.dmp

Filesize
5.6MB

Download
memory/2368-131-0x0000000000000000-mapping.dmp

Download
memory/2368-138-0x0000000000C10000-0x0000000000C36000-memory.dmp

Filesize
152KB

Download
memory/2368-154-0x0000000006760000-0x000000000676A000-memory.dmp

Filesize
40KB

Download
memory/2368-150-0x00000000067E0000-0x00000000069A2000-memory.dmp

Filesize
1.8MB

Download
memory/2368-153-0x00000000069B0000-0x0000000006A42000-memory.dmp

Filesize
584KB

Download
memory/3148-137-0x0000000000660000-0x00000000006BA000-memory.dmp

Filesize
360KB

Download
memory/3148-130-0x0000000000660000-0x00000000006BA000-memory.dmp

Filesize
360KB

Download
memory/3168-151-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/3168-162-0x00000000077D0000-0x0000000007E4A000-memory.dmp

Filesize
6.5MB

Download
memory/3168-155-0x0000000005E80000-0x0000000005E9E000-memory.dmp

Filesize
120KB

Download
memory/3168-149-0x0000000004FC0000-0x0000000004FE2000-memory.dmp

Filesize
136KB

Download
memory/3168-148-0x0000000005020000-0x0000000005648000-memory.dmp

Filesize
6.2MB

Download
memory/3168-147-0x0000000002560000-0x0000000002596000-memory.dmp

Filesize
216KB

Download
memory/3168-159-0x0000000006450000-0x0000000006482000-memory.dmp

Filesize
200KB

Download
memory/3168-160-0x000000006FC10000-0x000000006FC5C000-memory.dmp

Filesize
304KB

Download
memory/3168-161-0x0000000006430000-0x000000000644E000-memory.dmp

Filesize
120KB

Download
memory/3168-152-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/3168-163-0x0000000007190000-0x00000000071AA000-memory.dmp

Filesize
104KB

Download
memory/3168-164-0x0000000007200000-0x000000000720A000-memory.dmp

Filesize
40KB

Download
memory/3168-141-0x0000000000000000-mapping.dmp

Download
memory/3168-166-0x0000000007410000-0x00000000074A6000-memory.dmp

Filesize
600KB

Download
memory/3168-167-0x00000000073C0000-0x00000000073CE000-memory.dmp

Filesize
56KB

Download
memory/3508-146-0x0000000000000000-mapping.dmp

Download
memory/4028-142-0x0000000000000000-mapping.dmp

Download
memory/4116-143-0x0000000000000000-mapping.dmp

Download
memory/4368-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads