snakekeylogger | de14f0684525fb1e88fd930b745955d6e7d007b664c9643fd6ef03568e234a4e

Analysis

max time kernel
73s
max time network
77s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/05/2023, 03:44

Target

SnakeKeylogger-main/bin/Debug/Snake Keylogger.exe
Size

6.0MB
MD5

f9960f5488085181b45238a827f471de
SHA1

0aeafc8d62db430da2d1899cb0b0bbc215762215
SHA256

3b6b10baa64d343487c73a1a8eed90216f0a4f8f7ed5712a6ed8bb9353a69dec
SHA512

e1819aac0da75331433c9ba3721706c0d3f16df4c6ceaa4d0a9a4e84ce1f9b0cb693ee3641d8ac5b723af8e055a9459c6b590032dbde2da646d8057c2b604188
SSDEEP

49152:RgkLFVus/0tGxAPbN34EG1nFCiQ9bozruSX0RIglO1CuL9VNcaCdGczKITh1fkx:Rjes0tGx7K6rt6MpChJ

Score

10^/10

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral9/memory/1520-54-0x0000000001170000-0x0000000001774000-memory.dmp	family_snakekeylogger

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

resource	yara_rule
behavioral9/memory/1520-54-0x0000000001170000-0x0000000001774000-memory.dmp	beds_protector

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	1520	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	Snake Keylogger.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1676	1520	Snake Keylogger.exe	29
PID 1520 wrote to memory of 1676	1520	Snake Keylogger.exe	29
PID 1520 wrote to memory of 1676	1520	Snake Keylogger.exe	29

C:\Users\Admin\AppData\Local\Temp\SnakeKeylogger-main\bin\Debug\Snake Keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\SnakeKeylogger-main\bin\Debug\Snake Keylogger.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1520 -s 1928
  2⤵
  - Program crash
  PID:1676

memory/1520-54-0x0000000001170000-0x0000000001774000-memory.dmp

Filesize
6.0MB

Download
memory/1520-55-0x0000000000510000-0x0000000000564000-memory.dmp

Filesize
336KB

Download
memory/1520-56-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/1520-57-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/1520-58-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/1520-59-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/1520-60-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/1520-61-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download