snakekeylogger | a877d4ad09c9afc5bb5880913fd98fcf6989f390685bbd50b7f6acca864d0f44

General

Target

KvlzN7SaEJQgetq.exe
Size

840KB
MD5

bfd1be3c1b51983177c7ec0769816da1
SHA1

10d8ccd2ab82a7c98494b25667b66628fc4487d2
SHA256

a877d4ad09c9afc5bb5880913fd98fcf6989f390685bbd50b7f6acca864d0f44
SHA512

b91ddbbc428d2ee9e9607b5b5d7f8303dc4dbaa6f086da3df76bc85a8ef34f534423fa6e95aa70fbc6e5c023c84a4388e28f8123e6a71e3a99260b663304b15a
SSDEEP

12288:pyvlqU+EegGqZN+2eM2gvX88uT3zVgVn7r95f0bRHwAxxGBH5Ddzoa1cfN:IvdeRqbPeS/83zCV7hN0FxABH5DdEPf

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5527276937:AAFXPayV6BQ7JPPGsD5rUkKZ4cn3m-d_W-0/sendMessage?chat_id=5582419717

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

resource	yara_rule
behavioral1/memory/1520-67-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1520-69-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1520-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1520-71-0x00000000004206BE-mapping.dmp	family_snakekeylogger
behavioral1/memory/1520-73-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1520-75-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 1520	1600	KvlzN7SaEJQgetq.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1520	MSBuild.exe
468	powershell.exe
1520	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	MSBuild.exe
Token: SeDebugPrivilege	468	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 468	1600	KvlzN7SaEJQgetq.exe	27
PID 1600 wrote to memory of 468	1600	KvlzN7SaEJQgetq.exe	27
PID 1600 wrote to memory of 468	1600	KvlzN7SaEJQgetq.exe	27
PID 1600 wrote to memory of 468	1600	KvlzN7SaEJQgetq.exe	27
PID 1600 wrote to memory of 280	1600	KvlzN7SaEJQgetq.exe	29
PID 1600 wrote to memory of 280	1600	KvlzN7SaEJQgetq.exe	29
PID 1600 wrote to memory of 280	1600	KvlzN7SaEJQgetq.exe	29
PID 1600 wrote to memory of 280	1600	KvlzN7SaEJQgetq.exe	29
PID 1600 wrote to memory of 1520	1600	KvlzN7SaEJQgetq.exe	31
PID 1600 wrote to memory of 1520	1600	KvlzN7SaEJQgetq.exe	31
PID 1600 wrote to memory of 1520	1600	KvlzN7SaEJQgetq.exe	31
PID 1600 wrote to memory of 1520	1600	KvlzN7SaEJQgetq.exe	31
PID 1600 wrote to memory of 1520	1600	KvlzN7SaEJQgetq.exe	31
PID 1600 wrote to memory of 1520	1600	KvlzN7SaEJQgetq.exe	31
PID 1600 wrote to memory of 1520	1600	KvlzN7SaEJQgetq.exe	31
PID 1600 wrote to memory of 1520	1600	KvlzN7SaEJQgetq.exe	31
PID 1600 wrote to memory of 1520	1600	KvlzN7SaEJQgetq.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\KvlzN7SaEJQgetq.exe
"C:\Users\Admin\AppData\Local\Temp\KvlzN7SaEJQgetq.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lQwmSGounmCmJ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQwmSGounmCmJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD6D0.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD6D0.tmp

Filesize
1KB

MD5
d5409c499deadd676be2738b627aaf0e

SHA1
9ff8c4cad4c3394634d0a07b8db9770d88fbec63

SHA256
2b9570225ef8b7fb74aabdd06fdc67ed8778bd3d0e6ae2d70373c73a8dfc42f8

SHA512
219c65de4ef8ed8d980da434a987bff2ce2b2fc2946cf477d74da57cb32c21827facf09d8dff0d3c92653759d4bc20279969a161f40d7d6412bf69b4bf28500f

Download Submit
memory/468-78-0x000000006E3E0000-0x000000006E98B000-memory.dmp

Filesize
5.7MB

Download
memory/468-77-0x000000006E3E0000-0x000000006E98B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1520-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1520-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1520-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1520-65-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1520-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1520-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1600-58-0x00000000056D0000-0x0000000005756000-memory.dmp

Filesize
536KB

Download
memory/1600-63-0x00000000050A0000-0x00000000050EE000-memory.dmp

Filesize
312KB

Download
memory/1600-54-0x0000000000A20000-0x0000000000AF8000-memory.dmp

Filesize
864KB

Download
memory/1600-57-0x00000000007E0000-0x00000000007EE000-memory.dmp

Filesize
56KB

Download
memory/1600-56-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download
memory/1600-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads