snakekeylogger | 6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19

General

Target

hesap bildirimi..exe
Size

1.2MB
MD5

b23dbdb6ce8b1d0e3c6f185751935dd5
SHA1

be60259efa69bbcb776a727d225c98120ea5c620
SHA256

6ac2c5094ab610f7fb38129fb5bc1e66e38ed0144cc19bd0dd85c4bb582a1d19
SHA512

a02e49b3a4555961df246ea60efd930d073801676a829a4289f48c6a3a46e9d5180c5ca16188c6367ad22e6a48c865e2f31902d5d6017e91bb261828fe819ff0
SSDEEP

12288:euvHk2XK0W8aV7le/XN7OAKJTO1j9fQM0WvlzieK4HTN:YqK0W8aV7U/XN7tRiWvc

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5310184099:AAGxqu0IL8tjOF6Eq6x2u0gfcHhvuxRwfLU/sendMessage?chat_id=5350445922

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4060-139-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

hesap bildirimi..exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hesap bildirimi..exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hesap bildirimi..exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hesap bildirimi..exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

hesap bildirimi..exe

description pid process target process

PID 1260 set thread context of 4060 1260 hesap bildirimi..exe hesap bildirimi..exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

hesap bildirimi..exe

pid process

4060 hesap bildirimi..exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hesap bildirimi..exe

description pid process

Token: SeDebugPrivilege 4060 hesap bildirimi..exe

flow	ioc
35	checkip.dyndns.org

description	pid	process	target process
PID 1260 set thread context of 4060	1260	hesap bildirimi..exe	hesap bildirimi..exe

pid	process
4060	hesap bildirimi..exe

description	pid	process
Token: SeDebugPrivilege	4060	hesap bildirimi..exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

hesap bildirimi..exe

description	pid	process	target process
PID 1260 wrote to memory of 4060	1260	hesap bildirimi..exe	hesap bildirimi..exe
PID 1260 wrote to memory of 4060	1260	hesap bildirimi..exe	hesap bildirimi..exe
PID 1260 wrote to memory of 4060	1260	hesap bildirimi..exe	hesap bildirimi..exe
PID 1260 wrote to memory of 4060	1260	hesap bildirimi..exe	hesap bildirimi..exe
PID 1260 wrote to memory of 4060	1260	hesap bildirimi..exe	hesap bildirimi..exe
PID 1260 wrote to memory of 4060	1260	hesap bildirimi..exe	hesap bildirimi..exe
PID 1260 wrote to memory of 4060	1260	hesap bildirimi..exe	hesap bildirimi..exe
PID 1260 wrote to memory of 4060	1260	hesap bildirimi..exe	hesap bildirimi..exe

outlook_office_path 1 IoCs

Processes:

hesap bildirimi..exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hesap bildirimi..exe

outlook_win_path 1 IoCs

Processes:

hesap bildirimi..exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hesap bildirimi..exe

C:\Users\Admin\AppData\Local\Temp\hesap bildirimi..exe
"C:\Users\Admin\AppData\Local\Temp\hesap bildirimi..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\hesap bildirimi..exe
"C:\Users\Admin\AppData\Local\Temp\hesap bildirimi..exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hesap bildirimi..exe.log
Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
memory/1260-132-0x0000000000820000-0x000000000094C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-133-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/1260-134-0x0000000005220000-0x00000000052B2000-memory.dmp

Filesize
584KB

Download
memory/1260-135-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/1260-136-0x0000000008270000-0x000000000830C000-memory.dmp

Filesize
624KB

Download
memory/1260-137-0x00000000010C0000-0x0000000001126000-memory.dmp

Filesize
408KB

Download
memory/4060-138-0x0000000000000000-mapping.dmp

Download
memory/4060-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4060-141-0x0000000006C90000-0x0000000006E52000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads