snakekeylogger | b157fa01587fe60f17ece3e9252692cedc7c90376fb22659e877dd429e6106d3

General

Target

TNT SHIPPING DOCUMENT.exe
Size

978KB
MD5

9a659e807d4646ac728e17e382293048
SHA1

dc44c87555290b9e57b2afb6cc3670c9a8cc0455
SHA256

b157fa01587fe60f17ece3e9252692cedc7c90376fb22659e877dd429e6106d3
SHA512

f1aebb17e8c5a92c75ec6039540fb497cdb5fda83aeb5f0b93c3c18ddc8ac3085e895a682636d4dd8d2f421fd97127e2769e4c941fcdc764b9f2b531006ae01a
SSDEEP

24576:iX38QBb4K+ij9SMMHqlw5QkhcmiyBL5twAACCUEOaDGz2FcbQ/q2SPY50dL8QLgS:iX38QO8xSPl7gSRIi

Score

10^/10

snakekeylogger keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
kiamotors-khyber.com
Port:
587
Username:
[email protected]
Password:
Humble1000$
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/4788-143-0x0000000000400000-0x000000000041C000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	TNT SHIPPING DOCUMENT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mdhxbj = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tgaeybnz\\Mdhxbj.exe\""	TNT SHIPPING DOCUMENT.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 4788	1696	TNT SHIPPING DOCUMENT.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4560	powershell.exe
4560	powershell.exe
4788	TNT SHIPPING DOCUMENT.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	TNT SHIPPING DOCUMENT.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4788	TNT SHIPPING DOCUMENT.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 4560	1696	TNT SHIPPING DOCUMENT.exe	82
PID 1696 wrote to memory of 4560	1696	TNT SHIPPING DOCUMENT.exe	82
PID 1696 wrote to memory of 4560	1696	TNT SHIPPING DOCUMENT.exe	82
PID 1696 wrote to memory of 4788	1696	TNT SHIPPING DOCUMENT.exe	95
PID 1696 wrote to memory of 4788	1696	TNT SHIPPING DOCUMENT.exe	95
PID 1696 wrote to memory of 4788	1696	TNT SHIPPING DOCUMENT.exe	95
PID 1696 wrote to memory of 4788	1696	TNT SHIPPING DOCUMENT.exe	95
PID 1696 wrote to memory of 4788	1696	TNT SHIPPING DOCUMENT.exe	95
PID 1696 wrote to memory of 4788	1696	TNT SHIPPING DOCUMENT.exe	95
PID 1696 wrote to memory of 4788	1696	TNT SHIPPING DOCUMENT.exe	95
PID 1696 wrote to memory of 4788	1696	TNT SHIPPING DOCUMENT.exe	95

C:\Users\Admin\AppData\Local\Temp\TNT SHIPPING DOCUMENT.exe
"C:\Users\Admin\AppData\Local\Temp\TNT SHIPPING DOCUMENT.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Users\Admin\AppData\Local\Temp\TNT SHIPPING DOCUMENT.exe
  "C:\Users\Admin\AppData\Local\Temp\TNT SHIPPING DOCUMENT.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TNT SHIPPING DOCUMENT.exe.log

Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
memory/1696-132-0x0000000000EE0000-0x0000000000FDA000-memory.dmp

Filesize
1000KB

Download
memory/1696-133-0x0000000005A90000-0x0000000005AB2000-memory.dmp

Filesize
136KB

Download
memory/4560-138-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/4560-136-0x0000000005AA0000-0x00000000060C8000-memory.dmp

Filesize
6.2MB

Download
memory/4560-137-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/4560-135-0x0000000003370000-0x00000000033A6000-memory.dmp

Filesize
216KB

Download
memory/4560-139-0x0000000005670000-0x000000000568E000-memory.dmp

Filesize
120KB

Download
memory/4560-140-0x0000000008160000-0x00000000087DA000-memory.dmp

Filesize
6.5MB

Download
memory/4560-141-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

Filesize
104KB

Download
memory/4788-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4788-145-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/4788-146-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing