snakekeylogger | c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d

Analysis

max time kernel
90s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe
Size

414KB
MD5

238c1f75b4f373cfc75d3f485f11a52f
SHA1

6b5ae2e707506457200423be17c590814ab7f9b9
SHA256

c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d
SHA512

637f680a507144cdc0e9ec15939828d5cf4e3b1aa4ecc7a89823d4fc63a14f4fc7bffe3a8bdc9dbcfdc3f95a66bb068de2b6d9ec2afd662e1760b12360ba0e20
SSDEEP

6144:7gDM0GgLaOwh3biYqc0kpScxhSrT59AmNJ50AZSzGzWpD+unyBTgwLr4h6/+JaHT:sM0GgLCh3b/msI/59tVb/t

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot5119849130:AAH9bA2q-m0_WzXWnrogmxWWr6mEoa7_8bU/sendMessage?chat_id=5047293465

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/1068-143-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	checkip.dyndns.org
37	freegeoip.app
38	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 1068	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3228	1068	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe
1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe
1068	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe
Token: SeDebugPrivilege	1068	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1068	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe	90
PID 1608 wrote to memory of 1068	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe	90
PID 1608 wrote to memory of 1068	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe	90
PID 1608 wrote to memory of 1068	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe	90
PID 1608 wrote to memory of 1068	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe	90
PID 1608 wrote to memory of 1068	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe	90
PID 1608 wrote to memory of 1068	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe	90
PID 1608 wrote to memory of 1068	1608	c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe	90

C:\Users\Admin\AppData\Local\Temp\c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe
"C:\Users\Admin\AppData\Local\Temp\c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe
  "C:\Users\Admin\AppData\Local\Temp\c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1812
    3⤵
    - Program crash
    PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1068 -ip 1068
1⤵
PID:3660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c6eec3188ecb9a33232370c4a9e5cecd93ba8aeebcde53ad6783ed115b38f14d.exe.log

Filesize
1KB

MD5
0888fbe812b034cd494df9e0d609b3fd

SHA1
7c08e06f6a6653c8e195281defe1af1f3cb4bcf6

SHA256
841883b4c0de1e1477b09ed4e1506189acf9f31254ecf9552a9d9c80b410607b

SHA512
65f5ce3c0ed0f28bafcf923b7c135be83714f8db59ca3459bce94a2e75591c60cb761527acdbeb7a1dfcacf6e1bbf379c3c64d0daad3935265412ef7deb4e044

Download Submit
memory/1068-143-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1068-146-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1608-139-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1608-137-0x000000000B290000-0x000000000B322000-memory.dmp

Filesize
584KB

Download
memory/1608-138-0x000000000B420000-0x000000000B42A000-memory.dmp

Filesize
40KB

Download
memory/1608-133-0x0000000000550000-0x00000000005BE000-memory.dmp

Filesize
440KB

Download
memory/1608-140-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1608-141-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1608-142-0x00000000080B0000-0x00000000080D2000-memory.dmp

Filesize
136KB

Download
memory/1608-136-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1608-135-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/1608-134-0x0000000004FA0000-0x000000000503C000-memory.dmp

Filesize
624KB

Download