snakekeylogger | b08ee0a195de4d164f2e5818588fd494daaaddaf5f967a3c46d46206338981be

Analysis

max time kernel
31s
max time network
111s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_040323.exe
Size

243KB
MD5

2ac01daa7abbbffd8e1c5f2159c16e1b
SHA1

11476347227643c22fa5eeb35621e407ce5c7cae
SHA256

b08ee0a195de4d164f2e5818588fd494daaaddaf5f967a3c46d46206338981be
SHA512

8d27bfc43ec39d4c6b2a27372899e6264ebf46937517cd8fa44f016191495285426c6437bf3d6eb10c55562ff39b37801bf0e3b12f803cbec8d2b5bf8e7296ac
SSDEEP

6144:KYa6tDlMq35HQKhGvw3LcDBCaeymo+QzRv6Vd21Eg:KY3l7NQKhWwbKqyJzzwVE

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot5928295303:AAGuNoBPUTvSleTT4FySvjzDqvqzDvvy0hE/sendMessage?chat_id=5884533010

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

resource	yara_rule
behavioral1/memory/984-69-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/984-73-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/984-74-0x0000000000210000-0x0000000000236000-memory.dmp	family_snakekeylogger
behavioral1/memory/984-75-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

pid	Process
1728	vrkgt.exe
984	vrkgt.exe

Loads dropped DLL 3 IoCs

pid	Process
1200	PO_040323.exe
1200	PO_040323.exe
1728	vrkgt.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vrkgt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vrkgt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vrkgt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 984	1728	vrkgt.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
984	vrkgt.exe
984	vrkgt.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1728	vrkgt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	vrkgt.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 1728	1200	PO_040323.exe	28
PID 1200 wrote to memory of 1728	1200	PO_040323.exe	28
PID 1200 wrote to memory of 1728	1200	PO_040323.exe	28
PID 1200 wrote to memory of 1728	1200	PO_040323.exe	28
PID 1728 wrote to memory of 984	1728	vrkgt.exe	29
PID 1728 wrote to memory of 984	1728	vrkgt.exe	29
PID 1728 wrote to memory of 984	1728	vrkgt.exe	29
PID 1728 wrote to memory of 984	1728	vrkgt.exe	29
PID 1728 wrote to memory of 984	1728	vrkgt.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vrkgt.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	vrkgt.exe

C:\Users\Admin\AppData\Local\Temp\PO_040323.exe
"C:\Users\Admin\AppData\Local\Temp\PO_040323.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\vrkgt.exe
  "C:\Users\Admin\AppData\Local\Temp\vrkgt.exe" C:\Users\Admin\AppData\Local\Temp\fxzqnbo.tdc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\vrkgt.exe
    "C:\Users\Admin\AppData\Local\Temp\vrkgt.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fxzqnbo.tdc

Filesize
5KB

MD5
2d436128d7efa8f8cbd80f6d474c507e

SHA1
63b5c84e34a150eb2de63c488f6eee2c314e1d0c

SHA256
60c5df9aa7a1ed6c7b69f7285b5beea90948911d10d7edaaac747357efaa4747

SHA512
c52b257112f4e9e88184d20d21169f92a84679a698051fef70cb80872f6ff899cd77eb12e7dc32133ec6f960b22284ced5673d9e53b5b67edadd8784dd4c2bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbbzxpm.dkc

Filesize
225KB

MD5
f558b77cbc14864b3e87902f427bc447

SHA1
600136a3ecf6a08f46732ce69a7fd2d735edcddf

SHA256
0c752c973eea7f1c4ab08b9ca0d806dc3e257780ede1c1ac4f54eb370fe93cb8

SHA512
70d8e07322829cc83f046ee307d3b52a817aa2c17d2c89a2fab16aa03c69e0e96a8444a5f9bec2337a275853491ff15884709abf39515955c545882b9b677c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrkgt.exe

Filesize
5KB

MD5
fb8f73bbeb62cca10deedc7bb7fdf6d7

SHA1
d63f7c2a2ba5edfe226e72de841c250a9efaaf74

SHA256
72c6e1e9a4e53e7336ad95e7f82fa0198cd6bbfdfaad6337cc7f3a8d40c5ae39

SHA512
e65c284adec5f2e85650b2853f20484fa494c246f337b1b3473da9e5b36f74551b0d2a6895a641a3b30f6411f5d1b3bb095268c55edf3d95c47e3d21aa12e0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrkgt.exe

Filesize
5KB

MD5
fb8f73bbeb62cca10deedc7bb7fdf6d7

SHA1
d63f7c2a2ba5edfe226e72de841c250a9efaaf74

SHA256
72c6e1e9a4e53e7336ad95e7f82fa0198cd6bbfdfaad6337cc7f3a8d40c5ae39

SHA512
e65c284adec5f2e85650b2853f20484fa494c246f337b1b3473da9e5b36f74551b0d2a6895a641a3b30f6411f5d1b3bb095268c55edf3d95c47e3d21aa12e0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrkgt.exe

Filesize
5KB

MD5
fb8f73bbeb62cca10deedc7bb7fdf6d7

SHA1
d63f7c2a2ba5edfe226e72de841c250a9efaaf74

SHA256
72c6e1e9a4e53e7336ad95e7f82fa0198cd6bbfdfaad6337cc7f3a8d40c5ae39

SHA512
e65c284adec5f2e85650b2853f20484fa494c246f337b1b3473da9e5b36f74551b0d2a6895a641a3b30f6411f5d1b3bb095268c55edf3d95c47e3d21aa12e0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrkgt.exe

Filesize
5KB

MD5
fb8f73bbeb62cca10deedc7bb7fdf6d7

SHA1
d63f7c2a2ba5edfe226e72de841c250a9efaaf74

SHA256
72c6e1e9a4e53e7336ad95e7f82fa0198cd6bbfdfaad6337cc7f3a8d40c5ae39

SHA512
e65c284adec5f2e85650b2853f20484fa494c246f337b1b3473da9e5b36f74551b0d2a6895a641a3b30f6411f5d1b3bb095268c55edf3d95c47e3d21aa12e0f1

Download Submit
\Users\Admin\AppData\Local\Temp\vrkgt.exe

Filesize
5KB

MD5
fb8f73bbeb62cca10deedc7bb7fdf6d7

SHA1
d63f7c2a2ba5edfe226e72de841c250a9efaaf74

SHA256
72c6e1e9a4e53e7336ad95e7f82fa0198cd6bbfdfaad6337cc7f3a8d40c5ae39

SHA512
e65c284adec5f2e85650b2853f20484fa494c246f337b1b3473da9e5b36f74551b0d2a6895a641a3b30f6411f5d1b3bb095268c55edf3d95c47e3d21aa12e0f1

Download Submit
\Users\Admin\AppData\Local\Temp\vrkgt.exe

Filesize
5KB

MD5
fb8f73bbeb62cca10deedc7bb7fdf6d7

SHA1
d63f7c2a2ba5edfe226e72de841c250a9efaaf74

SHA256
72c6e1e9a4e53e7336ad95e7f82fa0198cd6bbfdfaad6337cc7f3a8d40c5ae39

SHA512
e65c284adec5f2e85650b2853f20484fa494c246f337b1b3473da9e5b36f74551b0d2a6895a641a3b30f6411f5d1b3bb095268c55edf3d95c47e3d21aa12e0f1

Download Submit
\Users\Admin\AppData\Local\Temp\vrkgt.exe

Filesize
5KB

MD5
fb8f73bbeb62cca10deedc7bb7fdf6d7

SHA1
d63f7c2a2ba5edfe226e72de841c250a9efaaf74

SHA256
72c6e1e9a4e53e7336ad95e7f82fa0198cd6bbfdfaad6337cc7f3a8d40c5ae39

SHA512
e65c284adec5f2e85650b2853f20484fa494c246f337b1b3473da9e5b36f74551b0d2a6895a641a3b30f6411f5d1b3bb095268c55edf3d95c47e3d21aa12e0f1

Download Submit
memory/984-69-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/984-73-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/984-74-0x0000000000210000-0x0000000000236000-memory.dmp

Filesize
152KB

Download
memory/984-75-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/984-76-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/984-77-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download