snakekeylogger | 9cf253811170267c598ef711a7f56ac10a32e6aa66a97b74b6ad272cf8838593

Analysis

max time kernel
28s
max time network
111s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/03/2023, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

scan copy.exe
Size

457KB
MD5

0e5ab5deea105ec9b280fb9a6b28b86c
SHA1

41f57c18c53d456133ae638ed612ee9916eaf733
SHA256

9cf253811170267c598ef711a7f56ac10a32e6aa66a97b74b6ad272cf8838593
SHA512

c19b1098df8d45b05d3e45d5256e5738c99a718719234bd2deb36e70b010a2aa8228de7c26778840951779dbdb5ff1644338e495a992210a0654f8216104c9f0
SSDEEP

6144:cYa6dpFXx6dy7OA0zWOFdzVtA6KCeMiQQVCWJLHSXxdJeb+eUK3:cY3pFXxkrASxFdR6CECWJAxdJe/3

Score

10^/10

snakekeylogger collection keylogger persistence spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot5899566495:AAFo2O2TVv3tz-X9Nff5JeajHiDrQS5IbE4/sendMessage?chat_id=5813868608

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

resource	yara_rule
behavioral1/memory/1488-70-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/1488-74-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/1488-75-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/1488-76-0x0000000000230000-0x0000000000256000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

pid	Process
1404	sipmfnxzkw.exe
1488	sipmfnxzkw.exe

Loads dropped DLL 3 IoCs

pid	Process
1376	scan copy.exe
1376	scan copy.exe
1404	sipmfnxzkw.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sipmfnxzkw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sipmfnxzkw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sipmfnxzkw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\qoebwgg = "C:\\Users\\Admin\\AppData\\Roaming\\yfhmy\\akjkd.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\sipmfnxzkw.exe\" C:\\Users\\Admin\\AppData\\Local\\Tem"	sipmfnxzkw.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 1488	1404	sipmfnxzkw.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1488	sipmfnxzkw.exe
1488	sipmfnxzkw.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1404	sipmfnxzkw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	sipmfnxzkw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1404	1376	scan copy.exe	28
PID 1376 wrote to memory of 1404	1376	scan copy.exe	28
PID 1376 wrote to memory of 1404	1376	scan copy.exe	28
PID 1376 wrote to memory of 1404	1376	scan copy.exe	28
PID 1404 wrote to memory of 1488	1404	sipmfnxzkw.exe	30
PID 1404 wrote to memory of 1488	1404	sipmfnxzkw.exe	30
PID 1404 wrote to memory of 1488	1404	sipmfnxzkw.exe	30
PID 1404 wrote to memory of 1488	1404	sipmfnxzkw.exe	30
PID 1404 wrote to memory of 1488	1404	sipmfnxzkw.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sipmfnxzkw.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sipmfnxzkw.exe

C:\Users\Admin\AppData\Local\Temp\scan copy.exe
"C:\Users\Admin\AppData\Local\Temp\scan copy.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe
  "C:\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe" C:\Users\Admin\AppData\Local\Temp\ymendffp.e
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe
    "C:\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\flcqizal.k

Filesize
225KB

MD5
80ec5fdefe4c2aee8f5b80037ec3fe3c

SHA1
36f74fb8b7ff986880a54fdcdf01cd846571cbab

SHA256
41efea44673818ad33d744463e8aaf7c3d9fdcbd88299ee295fd27476c148067

SHA512
ab202e59f481bc1d9ae9819c5f84227bf2e754eade4cbd6af93ba70a4bc0d8eb2d5ec6c552109c1a1aa5cd8fbb6cd39f9aab2dde14fa7987acd257836b6bcd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe

Filesize
137KB

MD5
dc40c91de71fd799fff2bf8c66524575

SHA1
12fded9f3789c2cd11d802841b3daf080bd2eb50

SHA256
4e79c29d7cacf01ebad9aa180d1754dcd21f0e734825d1938ef9a191c682f2c3

SHA512
06ee4bc40254bdcf5ab5036f12caf21636b1ebf99cfc36952692ec77ba6d63fd911cb6b7c89391e32516d98e1b845ea3534227cb0277e9a3e5c42e7541922267

Download Submit
C:\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe

Filesize
137KB

MD5
dc40c91de71fd799fff2bf8c66524575

SHA1
12fded9f3789c2cd11d802841b3daf080bd2eb50

SHA256
4e79c29d7cacf01ebad9aa180d1754dcd21f0e734825d1938ef9a191c682f2c3

SHA512
06ee4bc40254bdcf5ab5036f12caf21636b1ebf99cfc36952692ec77ba6d63fd911cb6b7c89391e32516d98e1b845ea3534227cb0277e9a3e5c42e7541922267

Download Submit
C:\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe

Filesize
137KB

MD5
dc40c91de71fd799fff2bf8c66524575

SHA1
12fded9f3789c2cd11d802841b3daf080bd2eb50

SHA256
4e79c29d7cacf01ebad9aa180d1754dcd21f0e734825d1938ef9a191c682f2c3

SHA512
06ee4bc40254bdcf5ab5036f12caf21636b1ebf99cfc36952692ec77ba6d63fd911cb6b7c89391e32516d98e1b845ea3534227cb0277e9a3e5c42e7541922267

Download Submit
C:\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe

Filesize
137KB

MD5
dc40c91de71fd799fff2bf8c66524575

SHA1
12fded9f3789c2cd11d802841b3daf080bd2eb50

SHA256
4e79c29d7cacf01ebad9aa180d1754dcd21f0e734825d1938ef9a191c682f2c3

SHA512
06ee4bc40254bdcf5ab5036f12caf21636b1ebf99cfc36952692ec77ba6d63fd911cb6b7c89391e32516d98e1b845ea3534227cb0277e9a3e5c42e7541922267

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymendffp.e

Filesize
7KB

MD5
9894530daf89000c3ac3e233fd9e33f4

SHA1
d47d2d00ecad38f593925c54d9484dfa8deada0b

SHA256
297e465334270a6a2248463b268c1a1afdc635474812074a113a75d91f0fb5de

SHA512
16dd89e0e869d766f6103baf5b5edeb86e61a5accf6d5971d2445e2c66963cb8200ea7952fcc3d2339124b92a37d1c2b4acb4d19d4afa0fc31b25744bdfed1cf

Download Submit
\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe

Filesize
137KB

MD5
dc40c91de71fd799fff2bf8c66524575

SHA1
12fded9f3789c2cd11d802841b3daf080bd2eb50

SHA256
4e79c29d7cacf01ebad9aa180d1754dcd21f0e734825d1938ef9a191c682f2c3

SHA512
06ee4bc40254bdcf5ab5036f12caf21636b1ebf99cfc36952692ec77ba6d63fd911cb6b7c89391e32516d98e1b845ea3534227cb0277e9a3e5c42e7541922267

Download Submit
\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe

Filesize
137KB

MD5
dc40c91de71fd799fff2bf8c66524575

SHA1
12fded9f3789c2cd11d802841b3daf080bd2eb50

SHA256
4e79c29d7cacf01ebad9aa180d1754dcd21f0e734825d1938ef9a191c682f2c3

SHA512
06ee4bc40254bdcf5ab5036f12caf21636b1ebf99cfc36952692ec77ba6d63fd911cb6b7c89391e32516d98e1b845ea3534227cb0277e9a3e5c42e7541922267

Download Submit
\Users\Admin\AppData\Local\Temp\sipmfnxzkw.exe

Filesize
137KB

MD5
dc40c91de71fd799fff2bf8c66524575

SHA1
12fded9f3789c2cd11d802841b3daf080bd2eb50

SHA256
4e79c29d7cacf01ebad9aa180d1754dcd21f0e734825d1938ef9a191c682f2c3

SHA512
06ee4bc40254bdcf5ab5036f12caf21636b1ebf99cfc36952692ec77ba6d63fd911cb6b7c89391e32516d98e1b845ea3534227cb0277e9a3e5c42e7541922267

Download Submit
memory/1488-70-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1488-74-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1488-75-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1488-76-0x0000000000230000-0x0000000000256000-memory.dmp

Filesize
152KB

Download
memory/1488-77-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download