snakekeylogger | f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d

General

Target

f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe
Size

284KB
MD5

3d5458f26b59708a5d0da5567189aa41
SHA1

826bcb30b6bb04c549caf271b447710b015e316f
SHA256

f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d
SHA512

205741a7c70a90bdaf955c083d65a54776fa62b1af6714ecd902a0c5f9b3fbc804675d96e582b35990b18f5b22ac78d3e050ac2496b8d4512a350b8cbb9dd465
SSDEEP

6144:vYa6clQizg+ll2N9cdRVmBuYiqOhhePDmRq3KvFAq+q9Wi:vYa9DlUcdFqOhAPa3A1q9Wi

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3292-145-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/3292-143-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/3292-141-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/3292-149-0x0000000000400000-0x0000000000437000-memory.dmp	family_snakekeylogger
behavioral1/memory/3292-152-0x0000000004A70000-0x0000000004A80000-memory.dmp	family_snakekeylogger
behavioral1/memory/3292-160-0x0000000004A70000-0x0000000004A80000-memory.dmp	family_snakekeylogger

Executes dropped EXE 2 IoCs

Processes:

fzutvwnon.exefzutvwnon.exe

pid process

2376 fzutvwnon.exe
3292 fzutvwnon.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2376	fzutvwnon.exe
3292	fzutvwnon.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

fzutvwnon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

fzutvwnon.exe

description pid process target process

PID 2376 set thread context of 3292 2376 fzutvwnon.exe fzutvwnon.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fzutvwnon.exe

pid process

3292 fzutvwnon.exe
3292 fzutvwnon.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

fzutvwnon.exe

pid process

2376 fzutvwnon.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fzutvwnon.exe

description pid process

Token: SeDebugPrivilege 3292 fzutvwnon.exe

flow	ioc
14	checkip.dyndns.org

description	pid	process	target process
PID 2376 set thread context of 3292	2376	fzutvwnon.exe	fzutvwnon.exe

pid	process
3292	fzutvwnon.exe
3292	fzutvwnon.exe

pid	process
2376	fzutvwnon.exe

description	pid	process
Token: SeDebugPrivilege	3292	fzutvwnon.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exefzutvwnon.exe

description	pid	process	target process
PID 4896 wrote to memory of 2376	4896	f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe	fzutvwnon.exe
PID 4896 wrote to memory of 2376	4896	f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe	fzutvwnon.exe
PID 4896 wrote to memory of 2376	4896	f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe	fzutvwnon.exe
PID 2376 wrote to memory of 3292	2376	fzutvwnon.exe	fzutvwnon.exe
PID 2376 wrote to memory of 3292	2376	fzutvwnon.exe	fzutvwnon.exe
PID 2376 wrote to memory of 3292	2376	fzutvwnon.exe	fzutvwnon.exe
PID 2376 wrote to memory of 3292	2376	fzutvwnon.exe	fzutvwnon.exe

outlook_office_path 1 IoCs

Processes:

fzutvwnon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe

outlook_win_path 1 IoCs

Processes:

fzutvwnon.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fzutvwnon.exe

C:\Users\Admin\AppData\Local\Temp\f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe
"C:\Users\Admin\AppData\Local\Temp\f1a4fd0ba166dd905af0029c7f759f23c52481e050fa067d4a8ac6866d71090d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
"C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe" C:\Users\Admin\AppData\Local\Temp\amhfv.r
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
"C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\amhfv.r
Filesize
6KB

MD5
5385c914ba21e2acd3ed22e8e8cb531d

SHA1
41af2470ddf143003b0a5e7e30228bb2925053d0

SHA256
ed30c27eb637febd67dc4c5ae3714e88f12b0871543d774ae9ce64f4fb4c36fd

SHA512
1fa6c8c7dd10ef32882568f157aa410674dd86981205393df30f055fb755d7dc07364016d44e5e636befeb32258020cd16288fac863e6acdca6c00c032ac8238

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzutvwnon.exe
Filesize
138KB

MD5
5ae5136cf30b0ac8348fd79052c86b0c

SHA1
0db2a625e6e7ebdcee5cd3c5cbe583d56bb236ea

SHA256
a59f2e2032ab0c2c6ced4498f8d88c50b3a7d677b7cb977fb3fcca6838ebef1e

SHA512
86444ede91ad600a9943b1bc42a670d2f2a874c1a99d32fb83c851c219ca23e2f2c1ecc896c295b2af970392cca72d2406ff2a006e7333120308737e61ba76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujutoge.pl
Filesize
225KB

MD5
ac99a9fb725cf4377037eb3a4f9c6990

SHA1
015488a0284f3141ee2a22cfff267fa330f07a9f

SHA256
dc05a51ed6fde34cb631f3cc1a61762cb165f86e0b8db5f66db455cd8d9ce78c

SHA512
4578355428502a2798a252de5c0b70f0a4598902c3be1732fe7c54ae13a4f4f24c3cb72fcf5b04ac5ae3bf7cf00a2280f73135dcbd8dcb4bc315d8ef02ed55dc

Download Submit
memory/2376-158-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/2376-144-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/3292-150-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3292-154-0x0000000005C90000-0x0000000005E52000-memory.dmp

Filesize
1.8MB

Download
memory/3292-147-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/3292-148-0x0000000004980000-0x0000000004A1C000-memory.dmp

Filesize
624KB

Download
memory/3292-149-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3292-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3292-151-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3292-152-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3292-153-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3292-141-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3292-155-0x0000000005E60000-0x0000000005EF2000-memory.dmp

Filesize
584KB

Download
memory/3292-156-0x0000000005F70000-0x0000000005F7A000-memory.dmp

Filesize
40KB

Download
memory/3292-145-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3292-159-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3292-160-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3292-161-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download
memory/3292-162-0x0000000004A70000-0x0000000004A80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads