snakekeylogger | 764f315bc712165766db3ca0246504b88ea0d7d19186be356e14ce13372542e4

General

Target

4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721.exe
Size

291KB
MD5

2187a019e706bbd61c23e8bb6e8c52d7
SHA1

c6de153270978951a9583b5cf53f76f14a1d6392
SHA256

4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721
SHA512

f7035b25e8f028785042636a9824d74c5fdd82075cfa537ff36effbba6a850d3206d13c93923f6b5225aa44655685e4d1e1ca4f6da18132130860a9ffae6e2b3
SSDEEP

6144:9Ya6bgG4b0kMEMSz1RMxASpy6xLfkMGC1rEwZzFCuwyIJSm:9YF1AHHzXMPpy2LfUC1JpFkD

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5972904963:AAH_L0Z1BaWpBDyPhmUAMb5yVXWF00k11jk/sendMessage?chat_id=5334267822

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

resource	yara_rule
behavioral1/memory/992-66-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/992-70-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/992-71-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/992-73-0x00000000003E0000-0x0000000000406000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

pid	Process
2020	ejvvifsq.exe
992	ejvvifsq.exe

Loads dropped DLL 2 IoCs

pid	Process
1060	4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721.exe
2020	ejvvifsq.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ejvvifsq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ejvvifsq.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ejvvifsq.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 992	2020	ejvvifsq.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
992	ejvvifsq.exe
992	ejvvifsq.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2020	ejvvifsq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	ejvvifsq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 2020	1060	4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721.exe	28
PID 1060 wrote to memory of 2020	1060	4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721.exe	28
PID 1060 wrote to memory of 2020	1060	4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721.exe	28
PID 1060 wrote to memory of 2020	1060	4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721.exe	28
PID 2020 wrote to memory of 992	2020	ejvvifsq.exe	29
PID 2020 wrote to memory of 992	2020	ejvvifsq.exe	29
PID 2020 wrote to memory of 992	2020	ejvvifsq.exe	29
PID 2020 wrote to memory of 992	2020	ejvvifsq.exe	29
PID 2020 wrote to memory of 992	2020	ejvvifsq.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ejvvifsq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ejvvifsq.exe

C:\Users\Admin\AppData\Local\Temp\4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721.exe
"C:\Users\Admin\AppData\Local\Temp\4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\ejvvifsq.exe
  "C:\Users\Admin\AppData\Local\Temp\ejvvifsq.exe" C:\Users\Admin\AppData\Local\Temp\bptzm.sgm
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\ejvvifsq.exe
    "C:\Users\Admin\AppData\Local\Temp\ejvvifsq.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bptzm.sgm

Filesize
5KB

MD5
c3b3f048242e5503a67c7a9f71e47cb3

SHA1
c235131593a9b42837c708e5cc69fe40c2b10e7d

SHA256
2d4e195099667a4db35c1d4fdff0e134d76c9cfa78fcc9600c24f5628f60a017

SHA512
4629947aa6d75da94731fe584df11280e73e3c4daef7d43f4e7666cbaaf58db5b71ac1f3690fddec1911af3e28530a6f89810cab428126edfd3e48368f304e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejvvifsq.exe

Filesize
130KB

MD5
e7d5f5fc33f6f8697f706f32ed58866a

SHA1
4cb9f4332826e0e9066fbc9257ea5b4a333a0efa

SHA256
c8ce9f119ec6d49a57a2d811d0f849228ed7bc45c3b269a4bc2e87ac53ab9a8a

SHA512
a2e40c18dd07bcff8f62f2efab03b3cccea92cc54599091a0c92eb884699ef4323c091daec75838799a949ad717b5f56824236cc6b4cd1c4a22adbc5f8708f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejvvifsq.exe

Filesize
130KB

MD5
e7d5f5fc33f6f8697f706f32ed58866a

SHA1
4cb9f4332826e0e9066fbc9257ea5b4a333a0efa

SHA256
c8ce9f119ec6d49a57a2d811d0f849228ed7bc45c3b269a4bc2e87ac53ab9a8a

SHA512
a2e40c18dd07bcff8f62f2efab03b3cccea92cc54599091a0c92eb884699ef4323c091daec75838799a949ad717b5f56824236cc6b4cd1c4a22adbc5f8708f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejvvifsq.exe

Filesize
130KB

MD5
e7d5f5fc33f6f8697f706f32ed58866a

SHA1
4cb9f4332826e0e9066fbc9257ea5b4a333a0efa

SHA256
c8ce9f119ec6d49a57a2d811d0f849228ed7bc45c3b269a4bc2e87ac53ab9a8a

SHA512
a2e40c18dd07bcff8f62f2efab03b3cccea92cc54599091a0c92eb884699ef4323c091daec75838799a949ad717b5f56824236cc6b4cd1c4a22adbc5f8708f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkazfu.q

Filesize
225KB

MD5
ade50abff0f64c1a227ecbbbaf218c97

SHA1
1761428b52bb111f0414e916450cb638af7d4eba

SHA256
bb032cbe265be5808252dd7e5ba0e30ef6406c0187eb4b5dcd5b70685aab9403

SHA512
2c089b34f600d81b5c9965f27fef7b7d501872f52874cdd268b0791035e1e7267ac4c79a784649271017ad3044afef2579a0c3b3cb63360c82f3a7c657080355

Download Submit
\Users\Admin\AppData\Local\Temp\ejvvifsq.exe

Filesize
130KB

MD5
e7d5f5fc33f6f8697f706f32ed58866a

SHA1
4cb9f4332826e0e9066fbc9257ea5b4a333a0efa

SHA256
c8ce9f119ec6d49a57a2d811d0f849228ed7bc45c3b269a4bc2e87ac53ab9a8a

SHA512
a2e40c18dd07bcff8f62f2efab03b3cccea92cc54599091a0c92eb884699ef4323c091daec75838799a949ad717b5f56824236cc6b4cd1c4a22adbc5f8708f72

Download Submit
\Users\Admin\AppData\Local\Temp\ejvvifsq.exe

Filesize
130KB

MD5
e7d5f5fc33f6f8697f706f32ed58866a

SHA1
4cb9f4332826e0e9066fbc9257ea5b4a333a0efa

SHA256
c8ce9f119ec6d49a57a2d811d0f849228ed7bc45c3b269a4bc2e87ac53ab9a8a

SHA512
a2e40c18dd07bcff8f62f2efab03b3cccea92cc54599091a0c92eb884699ef4323c091daec75838799a949ad717b5f56824236cc6b4cd1c4a22adbc5f8708f72

Download Submit
memory/992-66-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/992-70-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/992-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/992-73-0x00000000003E0000-0x0000000000406000-memory.dmp

Filesize
152KB

Download
memory/992-72-0x00000000045E0000-0x0000000004620000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing