snakekeylogger | 8ef5abf806b4399370b4c8a1ea4f0b87e995754b4594d751ba2648c55b71ad25

Analysis

max time kernel
180s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 17:18

Target

payment copy.exe
Size

632KB
MD5

9dc11bc9f45646da72f1fcd80ec3c8ef
SHA1

6238eec6748e70e2685e8c2b58e9cbc7e41898ca
SHA256

8ef5abf806b4399370b4c8a1ea4f0b87e995754b4594d751ba2648c55b71ad25
SHA512

efd10d089aead06fe4dd841716f5348e94ce26fbf3b084a9345de28b88a79cb903a7ae7372378ed6ce6bd530eae739814df1b0d009bc2f5448168fddf50a9946
SSDEEP

12288:pM9Dgh/PsZ1DX/VDJUS79oddN1hluiiahnUv+tECuLWJ:0Dgh/P7SQdDJ/hUG2Vi

Score

10^/10

Family

snakekeylogger

Credentials

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3952-138-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

86 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

payment copy.exe

description pid process target process

PID 1424 set thread context of 3952 1424 payment copy.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

payment copy.exeRegSvcs.exe

pid process

1424 payment copy.exe
1424 payment copy.exe
3952 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

payment copy.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1424 payment copy.exe
Token: SeDebugPrivilege 3952 RegSvcs.exe

flow	ioc
86	checkip.dyndns.org

description	pid	process	target process
PID 1424 set thread context of 3952	1424	payment copy.exe	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1424	payment copy.exe
Token: SeDebugPrivilege	3952	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

payment copy.exe

description	pid	process	target process
PID 1424 wrote to memory of 3952	1424	payment copy.exe	RegSvcs.exe
PID 1424 wrote to memory of 3952	1424	payment copy.exe	RegSvcs.exe
PID 1424 wrote to memory of 3952	1424	payment copy.exe	RegSvcs.exe
PID 1424 wrote to memory of 3952	1424	payment copy.exe	RegSvcs.exe
PID 1424 wrote to memory of 3952	1424	payment copy.exe	RegSvcs.exe
PID 1424 wrote to memory of 3952	1424	payment copy.exe	RegSvcs.exe
PID 1424 wrote to memory of 3952	1424	payment copy.exe	RegSvcs.exe
PID 1424 wrote to memory of 3952	1424	payment copy.exe	RegSvcs.exe

memory/1424-132-0x0000000000930000-0x00000000009D4000-memory.dmp

Filesize
656KB

Download
memory/1424-133-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/1424-134-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/1424-135-0x0000000005500000-0x000000000550A000-memory.dmp

Filesize
40KB

Download
memory/1424-136-0x0000000007950000-0x00000000079EC000-memory.dmp

Filesize
624KB

Download
memory/3952-137-0x0000000000000000-mapping.dmp

Download
memory/3952-138-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download