snakekeylogger | aa6f1394af3f2820ad15b115539bc57596bffed774520729fe0254dc9e149384

General

Target

Updated soa.exe
Size

322KB
MD5

b5d3de58f86d95b83246055925663215
SHA1

84bde480b1cbe27b6340dfefb6cff62f1fe6196c
SHA256

aa6f1394af3f2820ad15b115539bc57596bffed774520729fe0254dc9e149384
SHA512

b375d6bb6ae0ea2d38449a6a3bc214fc922980002b59ca3235e68772c2a619a73333eed07b1afe0a322a2486abc4ee61bb90f23748ce00ce2b0355adea8cf395
SSDEEP

6144:mPouQrUTlbGwNODJ8ENTpxGkgz9aaMjubs9zHFe:mz2UTK+mTpxPgBaaAi+le

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5229864731:AAEV0jOLrI_tfLx-WLBXsih1ys_6gsK9KBg/sendMessage?chat_id=1455975185

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/5096-140-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF.exe	Powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Updated soa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Updated soa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Updated soa.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4740 set thread context of 5096	4740	Updated soa.exe	83

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5096	Updated soa.exe
4840	Powershell.exe
4840	Powershell.exe
5096	Updated soa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	Updated soa.exe
Token: SeDebugPrivilege	4840	Powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4840	4740	Updated soa.exe	81
PID 4740 wrote to memory of 4840	4740	Updated soa.exe	81
PID 4740 wrote to memory of 4840	4740	Updated soa.exe	81
PID 4740 wrote to memory of 5096	4740	Updated soa.exe	83
PID 4740 wrote to memory of 5096	4740	Updated soa.exe	83
PID 4740 wrote to memory of 5096	4740	Updated soa.exe	83
PID 4740 wrote to memory of 5096	4740	Updated soa.exe	83
PID 4740 wrote to memory of 5096	4740	Updated soa.exe	83
PID 4740 wrote to memory of 5096	4740	Updated soa.exe	83
PID 4740 wrote to memory of 5096	4740	Updated soa.exe	83
PID 4740 wrote to memory of 5096	4740	Updated soa.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Updated soa.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Updated soa.exe

C:\Users\Admin\AppData\Local\Temp\Updated soa.exe
"C:\Users\Admin\AppData\Local\Temp\Updated soa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Updated soa.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF.exe'
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\Updated soa.exe
  "C:\Users\Admin\AppData\Local\Temp\Updated soa.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Updated soa.exe.log

Filesize
706B

MD5
9b4d7ccdebef642a9ad493e2c2925952

SHA1
c020c622c215e880c8415fa867cb50210b443ef0

SHA256
e6f068d76bd941b4118225b130db2c70128e77a45dcdbf5cbab0f8a563b867ff

SHA512
8577ecd7597d4b540bc1c6ccc4150eae7443da2e4be1343cc42242714d04dd16e48c3fcaefd95c4a148fe9f14c5b6f3166b752ae20d608676cf6fb48919968e8

Download Submit
memory/4740-133-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/4740-134-0x0000000004BE0000-0x0000000004C72000-memory.dmp

Filesize
584KB

Download
memory/4740-135-0x0000000004D60000-0x0000000004DFC000-memory.dmp

Filesize
624KB

Download
memory/4740-132-0x00000000001E0000-0x0000000000236000-memory.dmp

Filesize
344KB

Download
memory/4840-144-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/4840-148-0x0000000006E80000-0x0000000006EA2000-memory.dmp

Filesize
136KB

Download
memory/4840-147-0x0000000006E00000-0x0000000006E1A000-memory.dmp

Filesize
104KB

Download
memory/4840-137-0x0000000002F80000-0x0000000002FB6000-memory.dmp

Filesize
216KB

Download
memory/4840-142-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/4840-143-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/4840-138-0x0000000005990000-0x0000000005FB8000-memory.dmp

Filesize
6.2MB

Download
memory/4840-145-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/4840-146-0x00000000079B0000-0x0000000007A46000-memory.dmp

Filesize
600KB

Download
memory/5096-140-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5096-149-0x0000000006410000-0x00000000065D2000-memory.dmp

Filesize
1.8MB

Download
memory/5096-150-0x0000000006250000-0x000000000625A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing