snakekeylogger | 8c8d32ce1daf82a1e2864bdf0d86bd17ba7e2282dd549a826242181ef04b9183

Analysis

max time kernel
58s
max time network
127s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
06-08-2022 07:05

Target

confirmations.exe
Size

712KB
MD5

4ab1f4f9bdadbdb865bbc24c5139ee5b
SHA1

fa1291a26d6716f709c7526b6033bc0dbe49c016
SHA256

8c8d32ce1daf82a1e2864bdf0d86bd17ba7e2282dd549a826242181ef04b9183
SHA512

f85f64e326b2be36271189e50ea6eed10cabc0776a646e3f8b3ab5ae0b8a00e96e1c498218e80b88c13ffff75d52aaf4054d14c9095b42becebb33affdceba8b

Score

10^/10

Family

snakekeylogger

https://api.telegram.org/bot5438794068:AAGoE4bpAIHtaGy3WdbPtgtC0pMD4Rz1TZU/sendMessage?chat_id=5268739623

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2016-63-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2016-65-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2016-66-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2016-67-0x00000000004202DE-mapping.dmp	family_snakekeylogger
behavioral1/memory/2016-69-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2016-71-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

confirmations.exe

description pid process target process

PID 912 set thread context of 2016 912 confirmations.exe confirmations.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

704 2016 WerFault.exe confirmations.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

confirmations.exe

pid process

2016 confirmations.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

confirmations.exe

description pid process

Token: SeDebugPrivilege 2016 confirmations.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 912 set thread context of 2016	912	confirmations.exe	confirmations.exe

pid	pid_target	process	target process
704	2016	WerFault.exe	confirmations.exe

pid	process
2016	confirmations.exe

description	pid	process
Token: SeDebugPrivilege	2016	confirmations.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

confirmations.execonfirmations.exe

description	pid	process	target process
PID 912 wrote to memory of 2016	912	confirmations.exe	confirmations.exe
PID 912 wrote to memory of 2016	912	confirmations.exe	confirmations.exe
PID 912 wrote to memory of 2016	912	confirmations.exe	confirmations.exe
PID 912 wrote to memory of 2016	912	confirmations.exe	confirmations.exe
PID 912 wrote to memory of 2016	912	confirmations.exe	confirmations.exe
PID 912 wrote to memory of 2016	912	confirmations.exe	confirmations.exe
PID 912 wrote to memory of 2016	912	confirmations.exe	confirmations.exe
PID 912 wrote to memory of 2016	912	confirmations.exe	confirmations.exe
PID 912 wrote to memory of 2016	912	confirmations.exe	confirmations.exe
PID 2016 wrote to memory of 704	2016	confirmations.exe	WerFault.exe
PID 2016 wrote to memory of 704	2016	confirmations.exe	WerFault.exe
PID 2016 wrote to memory of 704	2016	confirmations.exe	WerFault.exe
PID 2016 wrote to memory of 704	2016	confirmations.exe	WerFault.exe

memory/704-73-0x0000000000000000-mapping.dmp

Download
memory/912-55-0x0000000074DB1000-0x0000000074DB3000-memory.dmp

Filesize
8KB

Download
memory/912-56-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/912-57-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/912-58-0x0000000004D90000-0x0000000004E04000-memory.dmp

Filesize
464KB

Download
memory/912-59-0x0000000002130000-0x0000000002158000-memory.dmp

Filesize
160KB

Download
memory/912-54-0x0000000000C70000-0x0000000000D28000-memory.dmp

Filesize
736KB

Download
memory/2016-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2016-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2016-65-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2016-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2016-67-0x00000000004202DE-mapping.dmp

Download
memory/2016-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2016-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2016-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download