snakekeylogger | ee81c7498b4343a8c9353957777a74cf2f615b3b0d8a09846eb06fcde700de63

General

Target

Payment 05-08-22.exe
Size

341KB
MD5

54827a45e0eec3ecb462066523d63e6c
SHA1

7c7a87429e9533c14497c799c085825ca68f5b4a
SHA256

ee81c7498b4343a8c9353957777a74cf2f615b3b0d8a09846eb06fcde700de63
SHA512

0c305685f8f3f1df118fcd75bac38c6c28205ea2690576231f5ae4df69b6d9ea685ec29d1fc1bcaa5c2309d94053addcccab8078cf77a30748ed5ccb32036116

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5410455012:AAE1SHAu8VAoPkLETxqziCFDZfyqp8DD7SA/sendMessage?chat_id=2008035906

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\binn1.exe	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\binn1.exe	family_snakekeylogger
behavioral2/memory/4552-136-0x0000000000600000-0x0000000000626000-memory.dmp	family_snakekeylogger

Executes dropped EXE 1 IoCs

Processes:

binn1.exe

pid process

4552 binn1.exe

pid	process
4552	binn1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Payment 05-08-22.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	Payment 05-08-22.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

binn1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	binn1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	binn1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	binn1.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

binn1.exe

pid process

4552 binn1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

binn1.exe

description pid process

Token: SeDebugPrivilege 4552 binn1.exe

flow	ioc
19	checkip.dyndns.org

pid	process
4552	binn1.exe

description	pid	process
Token: SeDebugPrivilege	4552	binn1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Payment 05-08-22.exe

description	pid	process	target process
PID 3144 wrote to memory of 4552	3144	Payment 05-08-22.exe	binn1.exe
PID 3144 wrote to memory of 4552	3144	Payment 05-08-22.exe	binn1.exe
PID 3144 wrote to memory of 4552	3144	Payment 05-08-22.exe	binn1.exe

outlook_office_path 1 IoCs

Processes:

binn1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	binn1.exe

outlook_win_path 1 IoCs

Processes:

binn1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	binn1.exe

C:\Users\Admin\AppData\Local\Temp\Payment 05-08-22.exe
"C:\Users\Admin\AppData\Local\Temp\Payment 05-08-22.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\binn1.exe
  "C:\Users\Admin\AppData\Local\Temp\binn1.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\binn1.exe

Filesize
126KB

MD5
d7ae412c7b211a55aab4d7c64dff870b

SHA1
4b9a99d232afe69495afd82913090eeaba815fe4

SHA256
025c3a4174f86308877f3e0545849acc881ccc82bafefb5d949169337568081c

SHA512
ee557c31f76724040f888b901073fae5f6e74da5dd4cc3d71310f1bfaceef6e924c603b7eff0de18b0b30e8e3dca387a8b90659714cef3b328716b00a5022218

Download Submit
C:\Users\Admin\AppData\Local\Temp\binn1.exe

Filesize
126KB

MD5
d7ae412c7b211a55aab4d7c64dff870b

SHA1
4b9a99d232afe69495afd82913090eeaba815fe4

SHA256
025c3a4174f86308877f3e0545849acc881ccc82bafefb5d949169337568081c

SHA512
ee557c31f76724040f888b901073fae5f6e74da5dd4cc3d71310f1bfaceef6e924c603b7eff0de18b0b30e8e3dca387a8b90659714cef3b328716b00a5022218

Download Submit
memory/3144-130-0x0000000000B40000-0x0000000000B98000-memory.dmp

Filesize
352KB

Download
memory/3144-131-0x00007FF81DE60000-0x00007FF81E921000-memory.dmp

Filesize
10.8MB

Download
memory/3144-135-0x00007FF81DE60000-0x00007FF81E921000-memory.dmp

Filesize
10.8MB

Download
memory/4552-132-0x0000000000000000-mapping.dmp

Download
memory/4552-136-0x0000000000600000-0x0000000000626000-memory.dmp

Filesize
152KB

Download
memory/4552-137-0x0000000005610000-0x0000000005BB4000-memory.dmp

Filesize
5.6MB

Download
memory/4552-138-0x0000000005060000-0x00000000050FC000-memory.dmp

Filesize
624KB

Download
memory/4552-139-0x0000000006450000-0x0000000006612000-memory.dmp

Filesize
1.8MB

Download
memory/4552-140-0x0000000006620000-0x00000000066B2000-memory.dmp

Filesize
584KB

Download
memory/4552-141-0x00000000063D0000-0x00000000063DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads