snakekeylogger | 501317a60d63bac59b9cc6994cd4d03207a929ab689939d062635656b4ed8231

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2022, 06:32

Target

BeRWDywBMMSobQZ.exe
Size

126KB
MD5

30d8ed3c4ce8a7101f099d0c362bdd2f
SHA1

620d7704df3924ae1af824c9f69af0edbec1a3e4
SHA256

73493f393423de3502be624402e63b53216a91ec15cb5ab1357661a75c2ad29e
SHA512

539a9e0ae03679118c553391c325cddcaeae40f6ea11a5a82b5f77f85050e09cccc62ee9e5ff897c7ec5c425c84e004de13dec43069389c77c65e2229728b484
SSDEEP

3072:mjememsTaR9OHR83H6uZ3o5b81McwBrHFbY:ge7aEAauZMbAMHlb

Score

10^/10

Family

snakekeylogger

Credentials

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral12/memory/5028-132-0x0000000000080000-0x00000000000A6000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	checkip.dyndns.org

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1128	5028	WerFault.exe	81
3532	5028	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5028	BeRWDywBMMSobQZ.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	BeRWDywBMMSobQZ.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 1128	5028	BeRWDywBMMSobQZ.exe	84
PID 5028 wrote to memory of 1128	5028	BeRWDywBMMSobQZ.exe	84
PID 5028 wrote to memory of 1128	5028	BeRWDywBMMSobQZ.exe	84

C:\Users\Admin\AppData\Local\Temp\BeRWDywBMMSobQZ.exe
"C:\Users\Admin\AppData\Local\Temp\BeRWDywBMMSobQZ.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1512
  2⤵
  - Program crash
  PID:1128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1512
  2⤵
  - Program crash
  PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5028 -ip 5028
1⤵
PID:1740

memory/5028-132-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download
memory/5028-133-0x00000000050D0000-0x0000000005674000-memory.dmp

Filesize
5.6MB

Download
memory/5028-134-0x0000000004A40000-0x0000000004ADC000-memory.dmp

Filesize
624KB

Download