snakekeylogger | e41b0a6b4bcbd587687a7d0fb61fad61a4540df2b09bee9c19f2dccb1478e554

Analysis

max time kernel
131s
max time network
142s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/05/2023, 08:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FQLyYRkV5TDGG6f.exe
Size

524KB
MD5

10dc3c76d29fb969b5b68b912b66b16d
SHA1

0d3f98e0bc89a0302f906cf6289e8e2160583f21
SHA256

e41b0a6b4bcbd587687a7d0fb61fad61a4540df2b09bee9c19f2dccb1478e554
SHA512

428b1dfc13fff88a45f6ba0c234c38ea9cf7507220ae9eb733544c77dc9b1fd89beb1fb1092552a9ec56e12f6b6f32921a164a716cf4fff307e17dd8f3da232c
SSDEEP

12288:bDKmJhQdb7XXZaR1uyCwcMLsIg+oTQWppw3tHsPHePw:XKw+HpWDcBIgpSHoe

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot5843567515:AAEdtJWwcJKNn64U81CKVdG-li_Ejds8raM/sendMessage?chat_id=1639214896

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 7 IoCs

resource	yara_rule
behavioral1/memory/2020-63-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2020-64-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2020-66-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2020-68-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2020-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2020-71-0x0000000004A90000-0x0000000004AD0000-memory.dmp	family_snakekeylogger
behavioral1/memory/2020-72-0x0000000004A90000-0x0000000004AD0000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 2020	1980	FQLyYRkV5TDGG6f.exe	28

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1980	FQLyYRkV5TDGG6f.exe
1980	FQLyYRkV5TDGG6f.exe
1980	FQLyYRkV5TDGG6f.exe
1980	FQLyYRkV5TDGG6f.exe
1980	FQLyYRkV5TDGG6f.exe
1980	FQLyYRkV5TDGG6f.exe
2020	FQLyYRkV5TDGG6f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	FQLyYRkV5TDGG6f.exe
Token: SeDebugPrivilege	2020	FQLyYRkV5TDGG6f.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2020	1980	FQLyYRkV5TDGG6f.exe	28
PID 1980 wrote to memory of 2020	1980	FQLyYRkV5TDGG6f.exe	28
PID 1980 wrote to memory of 2020	1980	FQLyYRkV5TDGG6f.exe	28
PID 1980 wrote to memory of 2020	1980	FQLyYRkV5TDGG6f.exe	28
PID 1980 wrote to memory of 2020	1980	FQLyYRkV5TDGG6f.exe	28
PID 1980 wrote to memory of 2020	1980	FQLyYRkV5TDGG6f.exe	28
PID 1980 wrote to memory of 2020	1980	FQLyYRkV5TDGG6f.exe	28
PID 1980 wrote to memory of 2020	1980	FQLyYRkV5TDGG6f.exe	28
PID 1980 wrote to memory of 2020	1980	FQLyYRkV5TDGG6f.exe	28

C:\Users\Admin\AppData\Local\Temp\FQLyYRkV5TDGG6f.exe
"C:\Users\Admin\AppData\Local\Temp\FQLyYRkV5TDGG6f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\FQLyYRkV5TDGG6f.exe
  "C:\Users\Admin\AppData\Local\Temp\FQLyYRkV5TDGG6f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1980-54-0x0000000000A40000-0x0000000000ACA000-memory.dmp

Filesize
552KB

Download
memory/1980-55-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1980-56-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1980-57-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1980-58-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1980-59-0x0000000005050000-0x00000000050B0000-memory.dmp

Filesize
384KB

Download
memory/1980-60-0x0000000001EE0000-0x0000000001F08000-memory.dmp

Filesize
160KB

Download
memory/2020-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2020-62-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2020-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2020-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2020-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2020-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2020-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2020-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2020-71-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/2020-72-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download