snakekeylogger | 1a8ab52bb58371cdfdf171987be0fec8509fab2495da503417eff49567043850

General

Target

vbc.exe
Size

605KB
MD5

865004f0278a4301cd6919a58e09c9b2
SHA1

26dc1f074a685c83523ccd4a6ed77fce534ac984
SHA256

1a8ab52bb58371cdfdf171987be0fec8509fab2495da503417eff49567043850
SHA512

b1602e75c3bdc3371afb3f501f1a5964ced55665a5bb4a8f5471a0698b110ad58bfe95871cf3523a452194c7a64b3d7451efe2e8fa86ad3273792b9e28cdd63e
SSDEEP

12288:/Y8t680YIA0PxJwPV22JZv9XGmXt1TF7NL3N2Wi9HyjmfH5aKtlKHtVhagVbG9R3:/Y8ssQJwN2Sd9XGYdR53gWuS6vQbVbmN

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/1728-139-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

pid	Process
3080	fncxla.exe
1728	fncxla.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fncxla.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fncxla.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fncxla.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3080 set thread context of 1728	3080	fncxla.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1728	fncxla.exe
1728	fncxla.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3080	fncxla.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	fncxla.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3080	fncxla.exe
3080	fncxla.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3080	fncxla.exe
3080	fncxla.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 3080	1740	vbc.exe	79
PID 1740 wrote to memory of 3080	1740	vbc.exe	79
PID 1740 wrote to memory of 3080	1740	vbc.exe	79
PID 3080 wrote to memory of 1728	3080	fncxla.exe	80
PID 3080 wrote to memory of 1728	3080	fncxla.exe	80
PID 3080 wrote to memory of 1728	3080	fncxla.exe	80
PID 3080 wrote to memory of 1728	3080	fncxla.exe	80

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fncxla.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fncxla.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\fncxla.exe
  "C:\Users\Admin\AppData\Local\Temp\fncxla.exe" "C:\Users\Admin\AppData\Local\Temp\trkknkm.au3"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\fncxla.exe
    "C:\Users\Admin\AppData\Local\Temp\fncxla.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fncxla.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fncxla.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtshhbx.xg

Filesize
52KB

MD5
983748145cf07bc735bc9e185215f8f8

SHA1
e32dc4c4a070650ae57bee85f004b0fd12e500e3

SHA256
42e9bf6825a414100ea7b57938294dd9a77fbe7e0448abaed1a4e5c3a40b4de4

SHA512
07933281d88fdb199dbce80c01dba27d5d5699ce7b93dbc35d99fbe6a5c409e013e236933147e6f7d9ee9f29e68c1adaa3dbf1d143287f1f4eac8b363509b813

Download Submit
C:\Users\Admin\AppData\Local\Temp\trkknkm.au3

Filesize
3KB

MD5
6431a0ba9a81849921c121a1f86a0992

SHA1
3629ba35586557700851400392c4aa065c353280

SHA256
4688f3a963cb139b421f8a285ca633f312986f44e0c825e7ae3bfc004597dd5f

SHA512
8cf0ddf03ef40fd305b22bb869de0fc59fd6a56b0c8fa51da8ec3f962a45074ec53612c5d252fa3f2226f5fa276e1e707644457d5e6c36282751becc4697b013

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrywg.t

Filesize
225KB

MD5
47f21917479a42e37841390d89558322

SHA1
b4ab72cdb50dfe9dbc24947487f234338f1b4cce

SHA256
9667484821c6b96e2794bbad45017a7df3861c5673a1251b9e911211dc94f7a3

SHA512
a10eb0f5d6906f65d7ebd4832a64e30fbd3e6f698d21eacae8a1124a87f4273ca52ee9525d03d5e5f4751d5e92d155bf588ae914b8014196d4731fffa5a7d6de

Download Submit
memory/1728-139-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1728-140-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/1728-141-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/1728-142-0x0000000007130000-0x00000000072F2000-memory.dmp

Filesize
1.8MB

Download
memory/1728-143-0x0000000007000000-0x0000000007092000-memory.dmp

Filesize
584KB

Download
memory/1728-144-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing