snakekeylogger | 03d4bb735b60dc20cf33082230bfd5bd8eeefad188620352311d9d8b8f6dc29c

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2022, 07:13

Target

a85dead4177a67474c2d593a0ceb1083.exe
Size

377KB
MD5

a85dead4177a67474c2d593a0ceb1083
SHA1

a941b1d948cb6846bbafbc4a3f9bcd58ba6917f9
SHA256

03d4bb735b60dc20cf33082230bfd5bd8eeefad188620352311d9d8b8f6dc29c
SHA512

de0dbea9a818759fa56e4241de9d876cd20a33c2cc79185479943ba0b2e73a3b7190d20d641fb45d29a6d9ae600c307aac2f22209cbf8d005ba5ffba4b6ae33a

Score

10^/10

Family

snakekeylogger

Credentials

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/988-132-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4460 set thread context of 988	4460	a85dead4177a67474c2d593a0ceb1083.exe	83

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2364	988	WerFault.exe	83
2620	988	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	a85dead4177a67474c2d593a0ceb1083.exe
Token: SeDebugPrivilege	988	a85dead4177a67474c2d593a0ceb1083.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 988	4460	a85dead4177a67474c2d593a0ceb1083.exe	83
PID 4460 wrote to memory of 988	4460	a85dead4177a67474c2d593a0ceb1083.exe	83
PID 4460 wrote to memory of 988	4460	a85dead4177a67474c2d593a0ceb1083.exe	83
PID 4460 wrote to memory of 988	4460	a85dead4177a67474c2d593a0ceb1083.exe	83
PID 4460 wrote to memory of 988	4460	a85dead4177a67474c2d593a0ceb1083.exe	83
PID 4460 wrote to memory of 988	4460	a85dead4177a67474c2d593a0ceb1083.exe	83
PID 4460 wrote to memory of 988	4460	a85dead4177a67474c2d593a0ceb1083.exe	83
PID 4460 wrote to memory of 988	4460	a85dead4177a67474c2d593a0ceb1083.exe	83
PID 988 wrote to memory of 2364	988	a85dead4177a67474c2d593a0ceb1083.exe	100
PID 988 wrote to memory of 2364	988	a85dead4177a67474c2d593a0ceb1083.exe	100
PID 988 wrote to memory of 2364	988	a85dead4177a67474c2d593a0ceb1083.exe	100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 988 -ip 988
1⤵
PID:2808

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a85dead4177a67474c2d593a0ceb1083.exe.log

Filesize
621B

MD5
ad1a8f8d9ea2fe08bd64dd13d6ad450e

SHA1
46a4f5c0e86bedd8f94bdfa0e75005809fc3299b

SHA256
a70ec63df01049ca33e9e9ba171b339b71dc26d88dfbfdf31c15d22cb7bec5e4

SHA512
3bfa4bfedc2ca9922ecc85d7793c5cb47d285f0c4f98e555136f678498c86cf8c6664b3da099e1dd5a01c8151bf643c6a957268e281768b567dc4f5295c5d62c

Download Submit
memory/988-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/988-134-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/988-135-0x0000000005550000-0x00000000055EC000-memory.dmp

Filesize
624KB

Download
memory/4460-130-0x0000000000440000-0x00000000004A4000-memory.dmp

Filesize
400KB

Download