snakekeylogger | a877d4ad09c9afc5bb5880913fd98fcf6989f390685bbd50b7f6acca864d0f44

General

Target

KvlzN7SaEJQgetq.exe
Size

840KB
MD5

bfd1be3c1b51983177c7ec0769816da1
SHA1

10d8ccd2ab82a7c98494b25667b66628fc4487d2
SHA256

a877d4ad09c9afc5bb5880913fd98fcf6989f390685bbd50b7f6acca864d0f44
SHA512

b91ddbbc428d2ee9e9607b5b5d7f8303dc4dbaa6f086da3df76bc85a8ef34f534423fa6e95aa70fbc6e5c023c84a4388e28f8123e6a71e3a99260b663304b15a
SSDEEP

12288:pyvlqU+EegGqZN+2eM2gvX88uT3zVgVn7r95f0bRHwAxxGBH5Ddzoa1cfN:IvdeRqbPeS/83zCV7hN0FxABH5DdEPf

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5527276937:AAFXPayV6BQ7JPPGsD5rUkKZ4cn3m-d_W-0/sendMessage?chat_id=5582419717

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/4744-142-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	KvlzN7SaEJQgetq.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4104 set thread context of 4744	4104	KvlzN7SaEJQgetq.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4744	MSBuild.exe
2456	powershell.exe
2456	powershell.exe
4744	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	MSBuild.exe
Token: SeDebugPrivilege	2456	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 2456	4104	KvlzN7SaEJQgetq.exe	91
PID 4104 wrote to memory of 2456	4104	KvlzN7SaEJQgetq.exe	91
PID 4104 wrote to memory of 2456	4104	KvlzN7SaEJQgetq.exe	91
PID 4104 wrote to memory of 2700	4104	KvlzN7SaEJQgetq.exe	93
PID 4104 wrote to memory of 2700	4104	KvlzN7SaEJQgetq.exe	93
PID 4104 wrote to memory of 2700	4104	KvlzN7SaEJQgetq.exe	93
PID 4104 wrote to memory of 4744	4104	KvlzN7SaEJQgetq.exe	95
PID 4104 wrote to memory of 4744	4104	KvlzN7SaEJQgetq.exe	95
PID 4104 wrote to memory of 4744	4104	KvlzN7SaEJQgetq.exe	95
PID 4104 wrote to memory of 4744	4104	KvlzN7SaEJQgetq.exe	95
PID 4104 wrote to memory of 4744	4104	KvlzN7SaEJQgetq.exe	95
PID 4104 wrote to memory of 4744	4104	KvlzN7SaEJQgetq.exe	95
PID 4104 wrote to memory of 4744	4104	KvlzN7SaEJQgetq.exe	95
PID 4104 wrote to memory of 4744	4104	KvlzN7SaEJQgetq.exe	95

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\KvlzN7SaEJQgetq.exe
"C:\Users\Admin\AppData\Local\Temp\KvlzN7SaEJQgetq.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lQwmSGounmCmJ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lQwmSGounmCmJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp389F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp389F.tmp

Filesize
1KB

MD5
ca96ae3d4ec12b58eddf0ed397f3bc50

SHA1
866bc4317f68c2b6dd0a36cd59c0edd0c0ffa0ea

SHA256
4175ddf5ceaee2a1a3bf781c2eb94ce36ee262a4730e23fd418f09eeba29aae7

SHA512
4e0bcc5447759f61a8dbea5756b6631264640a3396aabf067bdf37bd1321f8e3b0f574855fc00bc12fc69b1feb803c4661a63b39a4d30224635e0a44943b08e1

Download Submit
memory/2456-150-0x0000000070180000-0x00000000701CC000-memory.dmp

Filesize
304KB

Download
memory/2456-155-0x0000000007D10000-0x0000000007DA6000-memory.dmp

Filesize
600KB

Download
memory/2456-146-0x0000000005F70000-0x0000000005FD6000-memory.dmp

Filesize
408KB

Download
memory/2456-147-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/2456-152-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/2456-139-0x0000000002DF0000-0x0000000002E26000-memory.dmp

Filesize
216KB

Download
memory/2456-145-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/2456-157-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

Filesize
104KB

Download
memory/2456-156-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

Filesize
56KB

Download
memory/2456-143-0x0000000005940000-0x0000000005F68000-memory.dmp

Filesize
6.2MB

Download
memory/2456-144-0x0000000005790000-0x00000000057B2000-memory.dmp

Filesize
136KB

Download
memory/2456-158-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

Filesize
32KB

Download
memory/2456-151-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/2456-154-0x0000000007B00000-0x0000000007B0A000-memory.dmp

Filesize
40KB

Download
memory/2456-153-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/2456-149-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/4104-133-0x00000000051F0000-0x0000000005794000-memory.dmp

Filesize
5.6MB

Download
memory/4104-132-0x0000000000100000-0x00000000001D8000-memory.dmp

Filesize
864KB

Download
memory/4104-136-0x0000000007460000-0x00000000074FC000-memory.dmp

Filesize
624KB

Download
memory/4104-135-0x0000000004C20000-0x0000000004C2A000-memory.dmp

Filesize
40KB

Download
memory/4104-134-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/4744-148-0x0000000006820000-0x00000000069E2000-memory.dmp

Filesize
1.8MB

Download
memory/4744-142-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads