snakekeylogger | 501317a60d63bac59b9cc6994cd4d03207a929ab689939d062635656b4ed8231

Analysis

max time kernel
72s
max time network
140s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-08-2022 06:32

Target

AnZNZkqSCLtCdJP.exe
Size

126KB
MD5

ccc9e9ce00ae36543aea7653db6479ba
SHA1

0ebfeb138b7be5ad4fa3699d430fa6aaf393749c
SHA256

9b99bfeaca81fa2a9b5f525bd35d6f7f87866a65970f3fcde51085401e51e4d5
SHA512

552be92d536dd23207cbb09328663ebf33e3091acdacf73c1b037fba911cc4415a71522f0186025a44689d517ce04ce90f119ed988caa5e5621582d7525e55d6
SSDEEP

3072:Wnq4TwsW7L1GS9I3Hiy3eb8W5wBrjFbY:mQ7RMl3ebWZb

Score

10^/10

Family

snakekeylogger

Credentials

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral3/memory/1580-54-0x0000000001360000-0x0000000001386000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Program crash 1 IoCs

pid	pid_target	Process	procid_target
864	1580	WerFault.exe	22

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1580	AnZNZkqSCLtCdJP.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	AnZNZkqSCLtCdJP.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 864	1580	AnZNZkqSCLtCdJP.exe	27
PID 1580 wrote to memory of 864	1580	AnZNZkqSCLtCdJP.exe	27
PID 1580 wrote to memory of 864	1580	AnZNZkqSCLtCdJP.exe	27
PID 1580 wrote to memory of 864	1580	AnZNZkqSCLtCdJP.exe	27

C:\Users\Admin\AppData\Local\Temp\AnZNZkqSCLtCdJP.exe
"C:\Users\Admin\AppData\Local\Temp\AnZNZkqSCLtCdJP.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1100
  2⤵
  - Program crash
  PID:864

memory/1580-54-0x0000000001360000-0x0000000001386000-memory.dmp

Filesize
152KB

Download
memory/1580-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download