snakekeylogger | 148e2bede0b826dfbaa3b409373e8635e810a39fff7e5677c2baae19f1be01e1

General

Target

PO 10F-1051207533.exe
Size

1.2MB
MD5

07a2a21b1cd78886464c8efa44fff37c
SHA1

56c8dc825ff074d8710fdadeb83c349c10138903
SHA256

148e2bede0b826dfbaa3b409373e8635e810a39fff7e5677c2baae19f1be01e1
SHA512

baeaca79b1bb2f6da95db6a01429438e979ef7ff6e821731f4331197670fd344d96a9072bc353a15e34535991d97d693bfc1575a36315f7ec06d922c7bcc2543
SSDEEP

24576:aTbBv5rUDoZ++AC4vw3DKvMrBW4eNTygt90e+hoyaxl6V:sBpZ+HCD2vMr8jygt+0i

Score

10^/10

snakekeylogger collection keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6112875567:AAELAi1dztc_XKpDFEg1a1IG01250o2gxXs/sendMessage?chat_id=5687933537

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

resource	yara_rule
behavioral1/memory/1500-109-0x00000000003B0000-0x000000000088E000-memory.dmp	family_snakekeylogger
behavioral1/memory/1500-111-0x00000000003B0000-0x000000000088E000-memory.dmp	family_snakekeylogger
behavioral1/memory/1500-113-0x00000000003B0000-0x000000000088E000-memory.dmp	family_snakekeylogger
behavioral1/memory/1500-114-0x00000000003B0000-0x00000000003D6000-memory.dmp	family_snakekeylogger
behavioral1/memory/1500-115-0x0000000004EA0000-0x0000000004EE0000-memory.dmp	family_snakekeylogger
behavioral1/memory/1500-116-0x0000000004EA0000-0x0000000004EE0000-memory.dmp	family_snakekeylogger

Executes dropped EXE 1 IoCs

pid	Process
292	hvjxknlpe.pif

Loads dropped DLL 1 IoCs

pid	Process
1112	wscript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	hvjxknlpe.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\bxol\\HVJXKN~1.PIF c:\\bxol\\LQKKGI~1.XML"	hvjxknlpe.pif

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 292 set thread context of 1500	292	hvjxknlpe.pif	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1500	RegSvcs.exe
1500	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1112	1948	PO 10F-1051207533.exe	28
PID 1948 wrote to memory of 1112	1948	PO 10F-1051207533.exe	28
PID 1948 wrote to memory of 1112	1948	PO 10F-1051207533.exe	28
PID 1948 wrote to memory of 1112	1948	PO 10F-1051207533.exe	28
PID 1112 wrote to memory of 292	1112	wscript.exe	29
PID 1112 wrote to memory of 292	1112	wscript.exe	29
PID 1112 wrote to memory of 292	1112	wscript.exe	29
PID 1112 wrote to memory of 292	1112	wscript.exe	29
PID 1112 wrote to memory of 292	1112	wscript.exe	29
PID 1112 wrote to memory of 292	1112	wscript.exe	29
PID 1112 wrote to memory of 292	1112	wscript.exe	29
PID 292 wrote to memory of 1500	292	hvjxknlpe.pif	30
PID 292 wrote to memory of 1500	292	hvjxknlpe.pif	30
PID 292 wrote to memory of 1500	292	hvjxknlpe.pif	30
PID 292 wrote to memory of 1500	292	hvjxknlpe.pif	30
PID 292 wrote to memory of 1500	292	hvjxknlpe.pif	30
PID 292 wrote to memory of 1500	292	hvjxknlpe.pif	30
PID 292 wrote to memory of 1500	292	hvjxknlpe.pif	30
PID 292 wrote to memory of 1500	292	hvjxknlpe.pif	30
PID 292 wrote to memory of 1500	292	hvjxknlpe.pif	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\PO 10F-1051207533.exe
"C:\Users\Admin\AppData\Local\Temp\PO 10F-1051207533.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" Update-qo.v.vbe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\bxol\hvjxknlpe.pif
    "C:\bxol\hvjxknlpe.pif" lqkkgikgnm.xml
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\bxol\NAQKAJ~1.HUJ

Filesize
217KB

MD5
ee3c5dcd49f323c19cebf01e7ef9445c

SHA1
354df9e952d81ac666c65a5497ace8424a07feff

SHA256
76eb72f0f3032b26cac902f30d7fa3f6440e31d64e034c0dad70f47fbc53d273

SHA512
a8cae3df92cb90cb1d9a458b422e63e3eb630e9e4e6d9a35437e9193ac926c3e87691484e8f5eda05813d3292775212882b9066ef50954934bc22d5f07c2155e

Download Submit
C:\bxol\Update-qo.v.vbe

Filesize
91KB

MD5
d56a1ae5e70d0466d0ad61c33dd78fd5

SHA1
e92611857d9ea05c93f57b28b506dc2a6ca58d15

SHA256
85ad528739a964c9a3a5cd01a91f9f0cc2139dca3400f2d4b8e1be500599d908

SHA512
1685582f6d88220a04f1a62d3c5c1c70229581270029f8090e0043fe039d989fa31e60c7aa0c0c3cc441ba32e0c411485a07adaf9ec7a4a303ba4790a1c9e536

Download Submit
C:\bxol\hvjxknlpe.pif

Filesize
1.6MB

MD5
fbbbb48b0e272d81a095cd246f4d8028

SHA1
e4eb10dd13d3fe45417e5317b0edaaccdb78fbf2

SHA256
ce5a0747aa542be8717a532a060b63523a9ddad73795084c1ed6370cbbf296f6

SHA512
78ef158bd23d610aaee86036eede53145e6f3e1dd2297c270484b47652043eef8eef9bd202edbf1f6a8a4cc924e99b8c9f8939a259aea7d69acf58da8b774b27

Download Submit
C:\bxol\hvjxknlpe.pif

Filesize
1.6MB

MD5
fbbbb48b0e272d81a095cd246f4d8028

SHA1
e4eb10dd13d3fe45417e5317b0edaaccdb78fbf2

SHA256
ce5a0747aa542be8717a532a060b63523a9ddad73795084c1ed6370cbbf296f6

SHA512
78ef158bd23d610aaee86036eede53145e6f3e1dd2297c270484b47652043eef8eef9bd202edbf1f6a8a4cc924e99b8c9f8939a259aea7d69acf58da8b774b27

Download Submit
C:\bxol\lqkkgikgnm.xml

Filesize
11.8MB

MD5
bb321d6789b216248e1a5d650b2a7f80

SHA1
73ba1dc54a23273e755fbecc8cddf057be2cf5a8

SHA256
f574b7518067f7ae643206443a27747f10654fdf07871e3355ec3ae27005bf7d

SHA512
d9765f8df117d41fd5e7c496bef16a551adcf7da4879519c5fa4899a094abd08459fd815ec9b35d209f7820d1a21190b931444ea71274470cb4fd162493c8e52

Download Submit
C:\bxol\ofvjroidg.docx

Filesize
36KB

MD5
c66aadb6b5813d7bdd33ae1864a2896c

SHA1
fc5b18689091a1ab2539c7978d115fd0ed8d3f75

SHA256
6e7df03b89c14e76ed0c11ed2764ff7e8a99ca60760d23e6ec232412f0368f36

SHA512
54608c47f9db2b11f95c6de6860328b1b701586f52e35138789d8543acd757d6b01c71d3ee2eec2b2c61f50ae3dd920ddfaf78c9e76d1f091bbb5a2bb15875e7

Download Submit
\bxol\hvjxknlpe.pif

Filesize
1.6MB

MD5
fbbbb48b0e272d81a095cd246f4d8028

SHA1
e4eb10dd13d3fe45417e5317b0edaaccdb78fbf2

SHA256
ce5a0747aa542be8717a532a060b63523a9ddad73795084c1ed6370cbbf296f6

SHA512
78ef158bd23d610aaee86036eede53145e6f3e1dd2297c270484b47652043eef8eef9bd202edbf1f6a8a4cc924e99b8c9f8939a259aea7d69acf58da8b774b27

Download Submit
memory/1500-107-0x00000000003B0000-0x000000000088E000-memory.dmp

Filesize
4.9MB

Download
memory/1500-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1500-109-0x00000000003B0000-0x000000000088E000-memory.dmp

Filesize
4.9MB

Download
memory/1500-111-0x00000000003B0000-0x000000000088E000-memory.dmp

Filesize
4.9MB

Download
memory/1500-113-0x00000000003B0000-0x000000000088E000-memory.dmp

Filesize
4.9MB

Download
memory/1500-114-0x00000000003B0000-0x00000000003D6000-memory.dmp

Filesize
152KB

Download
memory/1500-115-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1500-116-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing