snakekeylogger | e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b

General

Target

Packing List.exe
Size

751KB
MD5

3e2bf9d409ebc43f74591d151aa64d38
SHA1

40fc577fddeff678703b4673daa55dbfe657e670
SHA256

e6c74fa34990259423123de4dca4a6b1924929ac74b4e0078c702ca2ec05782b
SHA512

0e2afe23b4e293b46efd230815557c18c0080fe16e674b2026d7b7ff2e9a0b87cd100d86daf5167b33d665f6a4fb27aa2447c6fc04d1bc568d0a3eb2f5848013
SSDEEP

12288:HjKdJVZz5dcKMk5pgPXJ3IclZZekLRafUWIN51YBplnQaacr2rKEKdmBhQFENrCo:HIVZ9qKP5iXRllVRafra5GLNQ7mEK9F

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
valleycountysar.org
Port:
26
Username:
mbown@valleycountysar.org
Password:
}eQA)VL2!$V}

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1468-69-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1468-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1468-72-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1468-74-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1468-76-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Packing List.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Packing List.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Packing List.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Packing List.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Packing List.exe

description pid process target process

PID 1084 set thread context of 1468 1084 Packing List.exe Packing List.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1812 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Packing List.exePacking List.exepowershell.exe

pid process

1084 Packing List.exe
1084 Packing List.exe
1468 Packing List.exe
1180 powershell.exe
1468 Packing List.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Packing List.exePacking List.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1084 Packing List.exe
Token: SeDebugPrivilege 1468 Packing List.exe
Token: SeDebugPrivilege 1180 powershell.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 1084 set thread context of 1468	1084	Packing List.exe	Packing List.exe

pid	process
1812	schtasks.exe

pid	process
1084	Packing List.exe
1084	Packing List.exe
1468	Packing List.exe
1180	powershell.exe
1468	Packing List.exe

description	pid	process
Token: SeDebugPrivilege	1084	Packing List.exe
Token: SeDebugPrivilege	1468	Packing List.exe
Token: SeDebugPrivilege	1180	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Packing List.exe

description	pid	process	target process
PID 1084 wrote to memory of 1180	1084	Packing List.exe	powershell.exe
PID 1084 wrote to memory of 1180	1084	Packing List.exe	powershell.exe
PID 1084 wrote to memory of 1180	1084	Packing List.exe	powershell.exe
PID 1084 wrote to memory of 1180	1084	Packing List.exe	powershell.exe
PID 1084 wrote to memory of 1812	1084	Packing List.exe	schtasks.exe
PID 1084 wrote to memory of 1812	1084	Packing List.exe	schtasks.exe
PID 1084 wrote to memory of 1812	1084	Packing List.exe	schtasks.exe
PID 1084 wrote to memory of 1812	1084	Packing List.exe	schtasks.exe
PID 1084 wrote to memory of 1468	1084	Packing List.exe	Packing List.exe
PID 1084 wrote to memory of 1468	1084	Packing List.exe	Packing List.exe
PID 1084 wrote to memory of 1468	1084	Packing List.exe	Packing List.exe
PID 1084 wrote to memory of 1468	1084	Packing List.exe	Packing List.exe
PID 1084 wrote to memory of 1468	1084	Packing List.exe	Packing List.exe
PID 1084 wrote to memory of 1468	1084	Packing List.exe	Packing List.exe
PID 1084 wrote to memory of 1468	1084	Packing List.exe	Packing List.exe
PID 1084 wrote to memory of 1468	1084	Packing List.exe	Packing List.exe
PID 1084 wrote to memory of 1468	1084	Packing List.exe	Packing List.exe

outlook_office_path 1 IoCs

Processes:

Packing List.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Packing List.exe

outlook_win_path 1 IoCs

Processes:

Packing List.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Packing List.exe

C:\Users\Admin\AppData\Local\Temp\Packing List.exe
"C:\Users\Admin\AppData\Local\Temp\Packing List.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JFayYhgVIm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JFayYhgVIm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC247.tmp"
2⤵
- Creates scheduled task(s)
PID:1812

C:\Users\Admin\AppData\Local\Temp\Packing List.exe
"C:\Users\Admin\AppData\Local\Temp\Packing List.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC247.tmp
Filesize
1KB

MD5
a473f66429e558a5240479d0bfc3682d

SHA1
6923d2bff4dbda46b4dbd2ee4efd979717ba7b1e

SHA256
6010cc212377d81eb17937e0a6c4452d50b54954f999c02389923b893d63cc61

SHA512
589c06bb49d5a759bacca80bd6a11b107d7c926eda17e9ad7c6137e39f12a3c68a006afbe3472ea6b336e3efa8419b59a941c646cbf24f6c2cb6efdda0ed1f0e

Download Submit
memory/1084-54-0x00000000008D0000-0x0000000000992000-memory.dmp

Filesize
776KB

Download
memory/1084-55-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/1084-56-0x0000000000330000-0x0000000000350000-memory.dmp

Filesize
128KB

Download
memory/1084-57-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/1084-58-0x0000000005770000-0x0000000005810000-memory.dmp

Filesize
640KB

Download
memory/1084-66-0x0000000004A50000-0x0000000004A78000-memory.dmp

Filesize
160KB

Download
memory/1180-77-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1468-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1468-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1468-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1468-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1468-72-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1468-74-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1468-76-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1468-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads