snakekeylogger | ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279

Analysis

max time kernel
144s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
23/03/2023, 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe
Size

768KB
MD5

b937cfc610976f5aed6dfd7aba0763c7
SHA1

0df6374148b77143dde73e89ac0cfc485a7a2922
SHA256

ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279
SHA512

c1faae3d490898a9b549aeedc71e71a4217422b09a77ba727cda41faec41f50ff8d073abe73e086dcfa267cac6b2467b7324a625f3a1b5cc1d4dec8737f24985
SSDEEP

12288:S7ZwdNNAUmugqIkPLtxj4iO4zqSmuQ2Nm1ndbs9a7frhB3mGjPzXRbrQyQpytTfB:WZGNKUPlIELb4bETQAYboa7DvXRPvfA8

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
cp5ua.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/4476-132-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2968 set thread context of 4476	2968	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe	66

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4832	4476	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4476	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 4476	2968	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe	66
PID 2968 wrote to memory of 4476	2968	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe	66
PID 2968 wrote to memory of 4476	2968	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe	66
PID 2968 wrote to memory of 4476	2968	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe	66
PID 2968 wrote to memory of 4476	2968	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe	66
PID 2968 wrote to memory of 4476	2968	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe	66
PID 2968 wrote to memory of 4476	2968	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe	66
PID 2968 wrote to memory of 4476	2968	ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe	66

C:\Users\Admin\AppData\Local\Temp\ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe
"C:\Users\Admin\AppData\Local\Temp\ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe
  "C:\Users\Admin\AppData\Local\Temp\ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1456
    3⤵
    - Program crash
    PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ed8a2741526c390d94d57de34aad4e3d533ab02beb98f6dfe428c281ec37d279.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
memory/2968-127-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/2968-129-0x0000000007E10000-0x0000000007EB2000-memory.dmp

Filesize
648KB

Download
memory/2968-124-0x00000000029B0000-0x00000000029BA000-memory.dmp

Filesize
40KB

Download
memory/2968-125-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/2968-126-0x0000000005060000-0x000000000507C000-memory.dmp

Filesize
112KB

Download
memory/2968-121-0x0000000000410000-0x00000000004D6000-memory.dmp

Filesize
792KB

Download
memory/2968-128-0x0000000005090000-0x000000000509C000-memory.dmp

Filesize
48KB

Download
memory/2968-123-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/2968-130-0x0000000007F60000-0x0000000007FFC000-memory.dmp

Filesize
624KB

Download
memory/2968-131-0x0000000007EF0000-0x0000000007F18000-memory.dmp

Filesize
160KB

Download
memory/2968-122-0x0000000005460000-0x000000000595E000-memory.dmp

Filesize
5.0MB

Download
memory/4476-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4476-135-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/4476-136-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download