snakekeylogger | 665c33346068602aa17a78330daa2986d4fc9460bf137e163e18185dce7caf23

General

Target

SWIFT.exe
Size

522KB
MD5

185a8c9aaf5006b2b5a6fab61e5a10ad
SHA1

f8d841def0b60dc6df8f9fdf0c5040e33ed10279
SHA256

7e8283583026a288a16c98682ce3cf18308f78cb08cebf3dd6b3376aa7089733
SHA512

eb27248b6f35d831d77c326e0c34338080511fed305e7f46e47020d4ed438756774654f71e51381fd0a34d8e7d04e935ab44d9c42d6b7b0c79d4b74c0ae0d11b
SSDEEP

12288:DlccvGC/90tlB/WiDzf6VJaIzxz68QQGpZdAHa4/y:RlmlWiDb3ixz68QQwHA69

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5932548741:AAFytn5z9IUn93hcbUn3eb19fE08x1AWGz0/sendMessage?chat_id=5034680713

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

resource	yara_rule
behavioral1/memory/1180-75-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1180-76-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1180-78-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1180-80-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1180-82-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1180-83-0x00000000048A0000-0x00000000048E0000-memory.dmp	family_snakekeylogger

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SWIFT.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SWIFT.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SWIFT.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1728 set thread context of 1180	1728	SWIFT.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1180	SWIFT.exe
556	powershell.exe
1052	powershell.exe
1180	SWIFT.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	SWIFT.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1052	1728	SWIFT.exe	28
PID 1728 wrote to memory of 1052	1728	SWIFT.exe	28
PID 1728 wrote to memory of 1052	1728	SWIFT.exe	28
PID 1728 wrote to memory of 1052	1728	SWIFT.exe	28
PID 1728 wrote to memory of 556	1728	SWIFT.exe	30
PID 1728 wrote to memory of 556	1728	SWIFT.exe	30
PID 1728 wrote to memory of 556	1728	SWIFT.exe	30
PID 1728 wrote to memory of 556	1728	SWIFT.exe	30
PID 1728 wrote to memory of 1280	1728	SWIFT.exe	32
PID 1728 wrote to memory of 1280	1728	SWIFT.exe	32
PID 1728 wrote to memory of 1280	1728	SWIFT.exe	32
PID 1728 wrote to memory of 1280	1728	SWIFT.exe	32
PID 1728 wrote to memory of 1180	1728	SWIFT.exe	34
PID 1728 wrote to memory of 1180	1728	SWIFT.exe	34
PID 1728 wrote to memory of 1180	1728	SWIFT.exe	34
PID 1728 wrote to memory of 1180	1728	SWIFT.exe	34
PID 1728 wrote to memory of 1180	1728	SWIFT.exe	34
PID 1728 wrote to memory of 1180	1728	SWIFT.exe	34
PID 1728 wrote to memory of 1180	1728	SWIFT.exe	34
PID 1728 wrote to memory of 1180	1728	SWIFT.exe	34
PID 1728 wrote to memory of 1180	1728	SWIFT.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SWIFT.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SWIFT.exe

C:\Users\Admin\AppData\Local\Temp\SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tneIUKzEe.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tneIUKzEe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD55A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\SWIFT.exe
  "C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD55A.tmp

Filesize
1KB

MD5
3b5f5c02fa0219815cc01a65dd72741d

SHA1
d4339ad0e84cb72161924b6638d894df435e7f01

SHA256
2a662cdca185936b8f18018c9984cae2bbecb7febb14632280edea18fa5968e6

SHA512
5f6c396f59b53961e0822b74b1955eb414de43180d07fd4457dd26655c7d292b12a4a942632c0f0bbf559fb5432f8411bbdd0b688a8298b86323b76ee02d1c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FO6I09LAY0HGJNR69JIQ.temp

Filesize
7KB

MD5
1d0cb5cb70debb08df44567ef919d3e4

SHA1
7d9ab75869902a235e1b071576b2a27a231f7683

SHA256
11527a3ce69578621fea8374cf3f0b0098ab945dff7e51d6df615762869f6876

SHA512
f6c22f61d4d5de28fc84c6a5bc6a5cc162803a05257030f8ef48888347e29ebea5850ebdc0eeb90727ec928686a904ae97d69979d7ec87e18c2b4b230a169acd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1d0cb5cb70debb08df44567ef919d3e4

SHA1
7d9ab75869902a235e1b071576b2a27a231f7683

SHA256
11527a3ce69578621fea8374cf3f0b0098ab945dff7e51d6df615762869f6876

SHA512
f6c22f61d4d5de28fc84c6a5bc6a5cc162803a05257030f8ef48888347e29ebea5850ebdc0eeb90727ec928686a904ae97d69979d7ec87e18c2b4b230a169acd

Download Submit
memory/1180-78-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1180-80-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1180-84-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/1180-83-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/1180-82-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1180-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1180-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1180-74-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1180-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1180-76-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1728-72-0x0000000004380000-0x00000000043A8000-memory.dmp

Filesize
160KB

Download
memory/1728-55-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1728-54-0x0000000000E10000-0x0000000000E9A000-memory.dmp

Filesize
552KB

Download
memory/1728-58-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/1728-56-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/1728-57-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1728-59-0x0000000004800000-0x0000000004860000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads