snakekeylogger | 23032bc9472a424d68f6423a31bf3e9cf0fa5ded87ab630d1a8234091758f4de

General

Target

MV GOLDEN SCHULTE.exe
Size

542KB
MD5

764acf7bd23649efdb25086f62d69ce5
SHA1

b4560eef798766d6737b33708ffc720c773e5a7d
SHA256

23032bc9472a424d68f6423a31bf3e9cf0fa5ded87ab630d1a8234091758f4de
SHA512

292b149ef1d2f0e8821d551b83c871e73b990ef2f2334b4489329b175a49f67c6bce6536f228072c408fa65d1771ccff35fc6c576235816d1b7f880c6059ada3
SSDEEP

6144:t445seHtUlG/GdH7Vya9DPyI9Ww7B8rNYd3P8l4JpBB4EDNX67iMUHtDq40zaHeE:kAsOEVyaNv9W/I3P8lupBB7W8440rJd

Score

10^/10

snakekeylogger stormkitty collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
argona.ro
Port:
26
Username:
[email protected]
Password:
Argona12!@
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/1408-71-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1408-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1408-73-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1408-75-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1408-77-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/1408-71-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty
behavioral1/memory/1408-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty
behavioral1/memory/1408-73-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty
behavioral1/memory/1408-75-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty
behavioral1/memory/1408-77-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MV GOLDEN SCHULTE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MV GOLDEN SCHULTE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MV GOLDEN SCHULTE.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 1408	1260	MV GOLDEN SCHULTE.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1260	MV GOLDEN SCHULTE.exe
1260	MV GOLDEN SCHULTE.exe
1260	MV GOLDEN SCHULTE.exe
1260	MV GOLDEN SCHULTE.exe
1408	MV GOLDEN SCHULTE.exe
1584	powershell.exe
1408	MV GOLDEN SCHULTE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	MV GOLDEN SCHULTE.exe
Token: SeDebugPrivilege	1408	MV GOLDEN SCHULTE.exe
Token: SeDebugPrivilege	1584	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1584	1260	MV GOLDEN SCHULTE.exe	28
PID 1260 wrote to memory of 1584	1260	MV GOLDEN SCHULTE.exe	28
PID 1260 wrote to memory of 1584	1260	MV GOLDEN SCHULTE.exe	28
PID 1260 wrote to memory of 1584	1260	MV GOLDEN SCHULTE.exe	28
PID 1260 wrote to memory of 268	1260	MV GOLDEN SCHULTE.exe	30
PID 1260 wrote to memory of 268	1260	MV GOLDEN SCHULTE.exe	30
PID 1260 wrote to memory of 268	1260	MV GOLDEN SCHULTE.exe	30
PID 1260 wrote to memory of 268	1260	MV GOLDEN SCHULTE.exe	30
PID 1260 wrote to memory of 664	1260	MV GOLDEN SCHULTE.exe	32
PID 1260 wrote to memory of 664	1260	MV GOLDEN SCHULTE.exe	32
PID 1260 wrote to memory of 664	1260	MV GOLDEN SCHULTE.exe	32
PID 1260 wrote to memory of 664	1260	MV GOLDEN SCHULTE.exe	32
PID 1260 wrote to memory of 1408	1260	MV GOLDEN SCHULTE.exe	33
PID 1260 wrote to memory of 1408	1260	MV GOLDEN SCHULTE.exe	33
PID 1260 wrote to memory of 1408	1260	MV GOLDEN SCHULTE.exe	33
PID 1260 wrote to memory of 1408	1260	MV GOLDEN SCHULTE.exe	33
PID 1260 wrote to memory of 1408	1260	MV GOLDEN SCHULTE.exe	33
PID 1260 wrote to memory of 1408	1260	MV GOLDEN SCHULTE.exe	33
PID 1260 wrote to memory of 1408	1260	MV GOLDEN SCHULTE.exe	33
PID 1260 wrote to memory of 1408	1260	MV GOLDEN SCHULTE.exe	33
PID 1260 wrote to memory of 1408	1260	MV GOLDEN SCHULTE.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MV GOLDEN SCHULTE.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MV GOLDEN SCHULTE.exe

C:\Users\Admin\AppData\Local\Temp\MV GOLDEN SCHULTE.exe
"C:\Users\Admin\AppData\Local\Temp\MV GOLDEN SCHULTE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eDQEydjQ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDQEydjQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC84F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:268
- C:\Users\Admin\AppData\Local\Temp\MV GOLDEN SCHULTE.exe
  "C:\Users\Admin\AppData\Local\Temp\MV GOLDEN SCHULTE.exe"
  2⤵
  PID:664
- C:\Users\Admin\AppData\Local\Temp\MV GOLDEN SCHULTE.exe
  "C:\Users\Admin\AppData\Local\Temp\MV GOLDEN SCHULTE.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC84F.tmp

Filesize
1KB

MD5
389e36bbc4c38f194ca38fa4ab50ad60

SHA1
571f8f7f8d54cf991c47b963174eba919b7c5031

SHA256
aae1a140b6f094501865a279971a15da8230cdfdd1c3c6c0282c149225ec8de3

SHA512
124b79820412f5167a35388eed94109a7805356254534f5ef10bba9e58d047b313104eaa1f7c436d6567795fa586b4abc01c9612bb266bbcbf1d4db492e59811

Download Submit
memory/1260-54-0x0000000000AC0000-0x0000000000B4E000-memory.dmp

Filesize
568KB

Download
memory/1260-55-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/1260-56-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/1260-57-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/1260-58-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1260-59-0x0000000005070000-0x00000000050D2000-memory.dmp

Filesize
392KB

Download
memory/1260-67-0x00000000048F0000-0x0000000004918000-memory.dmp

Filesize
160KB

Download
memory/1408-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1408-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1408-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1408-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1408-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1408-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1408-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1408-77-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1584-78-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/1584-79-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads