snakekeylogger | 47e8a43a5dfcefe4d6850764bb413ffeab6724be3a37620853b686c9fb23db34

Analysis

max time kernel
122s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2023, 06:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

clip_image001.exe
Size

411KB
MD5

0600fd383dfdc1c13eec78c11c9a848d
SHA1

f26e1ed9f1e4a926e613de202318652cdba076ec
SHA256

47e8a43a5dfcefe4d6850764bb413ffeab6724be3a37620853b686c9fb23db34
SHA512

f5b3492f4e0694f541f08b2979f2e7c68ddb399df7fafdf29bed08e7fc11ed2fe87dc2b803658ea40c424026b38b373ac859d25cd8a116924417a0adb74ae244
SSDEEP

6144:8BeMoZqMFv+k0Q8It5gUqJ3PrYx4ePqAeHdKLAdXKEPHihu:ioZqMpB0Qwn3seeuKLAvf0u

Score

10^/10

snakekeylogger collection discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.eversafe.pt
Port:
587
Username:
[email protected]
Password:
Ev3rsaf3_2021
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/3692-166-0x0000000000400000-0x000000000062B000-memory.dmp	family_snakekeylogger
behavioral2/memory/3692-168-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	clip_image001.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Loads dropped DLL 2 IoCs

pid	Process
4876	clip_image001.exe
4876	clip_image001.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3692	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4876	clip_image001.exe
3692	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4876 set thread context of 3692	4876	clip_image001.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2628	3692	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3692	caspol.exe
3692	caspol.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4876	clip_image001.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	caspol.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 3692	4876	clip_image001.exe	88
PID 4876 wrote to memory of 3692	4876	clip_image001.exe	88
PID 4876 wrote to memory of 3692	4876	clip_image001.exe	88
PID 4876 wrote to memory of 3692	4876	clip_image001.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Users\Admin\AppData\Local\Temp\clip_image001.exe
"C:\Users\Admin\AppData\Local\Temp\clip_image001.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\clip_image001.exe"
  2⤵
  - Checks QEMU agent file
  - Accesses Microsoft Outlook profiles
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 2316
    3⤵
    - Program crash
    PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3692 -ip 3692
1⤵
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsn770A.tmp\AdvSplash.dll

Filesize
5KB

MD5
15d8eee287329e2030c34c6bb3e62c87

SHA1
1de23c0883f7a80a489e140c55b16970dd0264ab

SHA256
9bf33690090655e91389469beb5dbdd45942192f2e2486c9fa82fa6d74a0f88b

SHA512
6ee495dcefd131ca490d6f3077643f49598184c3a49f1f66ed7a6d1559ebb9266c8c87cf49c06cdde8a6cd0643fb46f83d13aa5f27ba0c90de4791cb8bad29c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn770A.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/3692-165-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3692-166-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/3692-167-0x0000000001350000-0x0000000004E27000-memory.dmp

Filesize
58.8MB

Download
memory/3692-168-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3692-169-0x0000000038440000-0x00000000389E4000-memory.dmp

Filesize
5.6MB

Download
memory/3692-170-0x0000000037E90000-0x0000000037F2C000-memory.dmp

Filesize
624KB

Download
memory/3692-171-0x0000000001330000-0x0000000001340000-memory.dmp

Filesize
64KB

Download
memory/3692-173-0x0000000001350000-0x0000000004E27000-memory.dmp

Filesize
58.8MB

Download