snakekeylogger | 317e7fb654d01b558848d3ca8f7e79c05959c3abd167ff6c4df5aa99061f4dd0

General

Target

SOA_pdf_document.exe
Size

265KB
MD5

1305f958fa05e99677d391ca125ef00c
SHA1

1dc577b2757cc7f45a7a7c3595595a033f2f498a
SHA256

317e7fb654d01b558848d3ca8f7e79c05959c3abd167ff6c4df5aa99061f4dd0
SHA512

689dbde7e8abf825028270c84d2ed8f6a6509d80c0362c35580f65104c9a1601c7b2ccbc37aaf1e03096e66c1b6683c4643e4ba648457be5063a4f714256030a
SSDEEP

6144:/Ya6ckDpWD5QV5A4+/B9LPTpFRpUsUlOY+KBLMm/cS4mtP:/YikDQDT/B9LTTQsUUPQMUcmF

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.mezemar.com
Port:
587
Username:
[email protected]
Password:
x1}I6yQ~@azw

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral1/memory/1524-66-0x0000000000320000-0x0000000000346000-memory.dmp	family_snakekeylogger
behavioral1/memory/1524-67-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

pid	Process
1732	kcuwjccjhj.exe
1524	kcuwjccjhj.exe

Loads dropped DLL 2 IoCs

pid	Process
1980	SOA_pdf_document.exe
1732	kcuwjccjhj.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	kcuwjccjhj.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	kcuwjccjhj.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	kcuwjccjhj.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 1524	1732	kcuwjccjhj.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	kcuwjccjhj.exe
1524	kcuwjccjhj.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1732	kcuwjccjhj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	kcuwjccjhj.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1732	1980	SOA_pdf_document.exe	28
PID 1980 wrote to memory of 1732	1980	SOA_pdf_document.exe	28
PID 1980 wrote to memory of 1732	1980	SOA_pdf_document.exe	28
PID 1980 wrote to memory of 1732	1980	SOA_pdf_document.exe	28
PID 1732 wrote to memory of 1524	1732	kcuwjccjhj.exe	29
PID 1732 wrote to memory of 1524	1732	kcuwjccjhj.exe	29
PID 1732 wrote to memory of 1524	1732	kcuwjccjhj.exe	29
PID 1732 wrote to memory of 1524	1732	kcuwjccjhj.exe	29
PID 1732 wrote to memory of 1524	1732	kcuwjccjhj.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	kcuwjccjhj.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	kcuwjccjhj.exe

C:\Users\Admin\AppData\Local\Temp\SOA_pdf_document.exe
"C:\Users\Admin\AppData\Local\Temp\SOA_pdf_document.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\kcuwjccjhj.exe
  "C:\Users\Admin\AppData\Local\Temp\kcuwjccjhj.exe" C:\Users\Admin\AppData\Local\Temp\llueru.f
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Local\Temp\kcuwjccjhj.exe
    "C:\Users\Admin\AppData\Local\Temp\kcuwjccjhj.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jkgbrgy.i

Filesize
225KB

MD5
02d386b9bdfbe246394531b5e72b402b

SHA1
0278d8cb9743f9978742bc64a2a07f3cabe51ab6

SHA256
662cbcb34d77e790607e8d04ca49e78699e9f49a5aad9705784f3e4551c188c3

SHA512
d1200c2c2b3a1fac550439f80b2a3afc5770be9cfb96d681eb88109e0578623ca2a505dc97cf5d39412804154abbea7f0cc9b9cca0a3dc62c86d9777b9a12790

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcuwjccjhj.exe

Filesize
79KB

MD5
33ea1e3f0aab54f3449e0d281787e669

SHA1
5537e4584a52ffa6a614740cfc266d7c156cef7d

SHA256
67d132f7343eb9038115b88f32c626b5b80a3d406d4bdd758aefd43a8e20af32

SHA512
c0277dc1a0b7f02b64113a0225e7e4d3624cded9de0be0c439fa5f47b2496086821f19aa1d94f06e4f524bcbec56cb3ce19f5b528f996c6ea362eaa21c795694

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcuwjccjhj.exe

Filesize
79KB

MD5
33ea1e3f0aab54f3449e0d281787e669

SHA1
5537e4584a52ffa6a614740cfc266d7c156cef7d

SHA256
67d132f7343eb9038115b88f32c626b5b80a3d406d4bdd758aefd43a8e20af32

SHA512
c0277dc1a0b7f02b64113a0225e7e4d3624cded9de0be0c439fa5f47b2496086821f19aa1d94f06e4f524bcbec56cb3ce19f5b528f996c6ea362eaa21c795694

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcuwjccjhj.exe

Filesize
79KB

MD5
33ea1e3f0aab54f3449e0d281787e669

SHA1
5537e4584a52ffa6a614740cfc266d7c156cef7d

SHA256
67d132f7343eb9038115b88f32c626b5b80a3d406d4bdd758aefd43a8e20af32

SHA512
c0277dc1a0b7f02b64113a0225e7e4d3624cded9de0be0c439fa5f47b2496086821f19aa1d94f06e4f524bcbec56cb3ce19f5b528f996c6ea362eaa21c795694

Download Submit
C:\Users\Admin\AppData\Local\Temp\llueru.f

Filesize
5KB

MD5
4d5c37226515e39e5d57347e6d151fe5

SHA1
5435dd83ff3d740dfa756f516f9db6c629696f29

SHA256
3aa3f6d5fa35d6190b1dbe94723c0b1fb724c268a34b42fd104514881ef3ebb9

SHA512
f714f00d6c40d76bc6d0eeb1f00c5e0c14dd4b859cde4ab096062df65533bd85d78db8f8657df44a65dd32b67cb2b6be1103713bc1cb2279db2f01a27ea3116f

Download Submit
\Users\Admin\AppData\Local\Temp\kcuwjccjhj.exe

Filesize
79KB

MD5
33ea1e3f0aab54f3449e0d281787e669

SHA1
5537e4584a52ffa6a614740cfc266d7c156cef7d

SHA256
67d132f7343eb9038115b88f32c626b5b80a3d406d4bdd758aefd43a8e20af32

SHA512
c0277dc1a0b7f02b64113a0225e7e4d3624cded9de0be0c439fa5f47b2496086821f19aa1d94f06e4f524bcbec56cb3ce19f5b528f996c6ea362eaa21c795694

Download Submit
\Users\Admin\AppData\Local\Temp\kcuwjccjhj.exe

Filesize
79KB

MD5
33ea1e3f0aab54f3449e0d281787e669

SHA1
5537e4584a52ffa6a614740cfc266d7c156cef7d

SHA256
67d132f7343eb9038115b88f32c626b5b80a3d406d4bdd758aefd43a8e20af32

SHA512
c0277dc1a0b7f02b64113a0225e7e4d3624cded9de0be0c439fa5f47b2496086821f19aa1d94f06e4f524bcbec56cb3ce19f5b528f996c6ea362eaa21c795694

Download Submit
memory/1524-66-0x0000000000320000-0x0000000000346000-memory.dmp

Filesize
152KB

Download
memory/1524-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1980-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing