snakekeylogger | 82a5ab20cca30fb6373b256808762ba3fe16ea61c36ccaa60d676c171f6741f6

General

Target

Shipping Documents.pdf.exe
Size

704KB
MD5

903734f7c57dc9f7de2e10c8efdddb44
SHA1

c4942900cb85153d90371e52398d42e4e715b756
SHA256

82a5ab20cca30fb6373b256808762ba3fe16ea61c36ccaa60d676c171f6741f6
SHA512

21cced8ccdbb367cd4e4c54364dbe7e7f9d1c5010b29772a7cd2df8cc81d5ffd448bb93bb5715fbc70b8c276a6340d36e543b306d59b52f082ca6faa08ab41bc
SSDEEP

12288:t4ZfTp7kxmYcuENSNi3UT8kI5FRTcMAHNOzE+v07NCRB4:tmLNGAXNSiUT8ffnr07

Score

10^/10

snakekeylogger stormkitty collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6029559841:AAEqr8_NCfqapJgAzw8PoPbqoCosnsk1VO0/sendMessage?chat_id=6033043077

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/984-77-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/984-78-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/984-80-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/984-82-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/984-84-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

resource	yara_rule
behavioral1/memory/984-77-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty
behavioral1/memory/984-78-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty
behavioral1/memory/984-80-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty
behavioral1/memory/984-82-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty
behavioral1/memory/984-84-0x0000000000400000-0x0000000000426000-memory.dmp	family_stormkitty

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 984	1340	Shipping Documents.pdf.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
984	Shipping Documents.pdf.exe
756	powershell.exe
1496	powershell.exe
984	Shipping Documents.pdf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	984	Shipping Documents.pdf.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 756	1340	Shipping Documents.pdf.exe	28
PID 1340 wrote to memory of 756	1340	Shipping Documents.pdf.exe	28
PID 1340 wrote to memory of 756	1340	Shipping Documents.pdf.exe	28
PID 1340 wrote to memory of 756	1340	Shipping Documents.pdf.exe	28
PID 1340 wrote to memory of 1496	1340	Shipping Documents.pdf.exe	30
PID 1340 wrote to memory of 1496	1340	Shipping Documents.pdf.exe	30
PID 1340 wrote to memory of 1496	1340	Shipping Documents.pdf.exe	30
PID 1340 wrote to memory of 1496	1340	Shipping Documents.pdf.exe	30
PID 1340 wrote to memory of 1412	1340	Shipping Documents.pdf.exe	32
PID 1340 wrote to memory of 1412	1340	Shipping Documents.pdf.exe	32
PID 1340 wrote to memory of 1412	1340	Shipping Documents.pdf.exe	32
PID 1340 wrote to memory of 1412	1340	Shipping Documents.pdf.exe	32
PID 1340 wrote to memory of 984	1340	Shipping Documents.pdf.exe	34
PID 1340 wrote to memory of 984	1340	Shipping Documents.pdf.exe	34
PID 1340 wrote to memory of 984	1340	Shipping Documents.pdf.exe	34
PID 1340 wrote to memory of 984	1340	Shipping Documents.pdf.exe	34
PID 1340 wrote to memory of 984	1340	Shipping Documents.pdf.exe	34
PID 1340 wrote to memory of 984	1340	Shipping Documents.pdf.exe	34
PID 1340 wrote to memory of 984	1340	Shipping Documents.pdf.exe	34
PID 1340 wrote to memory of 984	1340	Shipping Documents.pdf.exe	34
PID 1340 wrote to memory of 984	1340	Shipping Documents.pdf.exe	34
PID 984 wrote to memory of 1696	984	Shipping Documents.pdf.exe	35
PID 984 wrote to memory of 1696	984	Shipping Documents.pdf.exe	35
PID 984 wrote to memory of 1696	984	Shipping Documents.pdf.exe	35
PID 984 wrote to memory of 1696	984	Shipping Documents.pdf.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QGqSfBwIEFtO.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QGqSfBwIEFtO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCAA0.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:984
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" wlan show profile
    3⤵
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCAA0.tmp

Filesize
1KB

MD5
582cd37b554f79ab734499f7211c5442

SHA1
7e384edac53a0e8d716220670c482c57c7245f97

SHA256
9a9bc74986e8703aafab96e7693fcb6c427b772ec6b35d0f4eed5243f1b92fe9

SHA512
37df8fc8fe649762552474631ca4298084b6387350d6547db573f73293a6fb122648083096a7d0ae648f0a3b048e0c5a936e9c50e15af60ba09114ec3e43c822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AB9L7VOET3K607Y8BHZC.temp

Filesize
7KB

MD5
2caaaa24d8da0685e93afc844b366be5

SHA1
a5a5565fd9d6143bd21d7b490803e22300eb60bc

SHA256
c4f170777490f7a66944b3b56b4d2540e130562243242a2c22ec1cd3f3e7a1bb

SHA512
d098acd821754ebd16a9709da67c46b0f548d93cc1580329fa9282d4b0b9576290c3d0a35933de27b21eafe3883e9160bff4b52b15951deecf25f628a22a691f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2caaaa24d8da0685e93afc844b366be5

SHA1
a5a5565fd9d6143bd21d7b490803e22300eb60bc

SHA256
c4f170777490f7a66944b3b56b4d2540e130562243242a2c22ec1cd3f3e7a1bb

SHA512
d098acd821754ebd16a9709da67c46b0f548d93cc1580329fa9282d4b0b9576290c3d0a35933de27b21eafe3883e9160bff4b52b15951deecf25f628a22a691f

Download Submit
memory/756-74-0x00000000027C0000-0x0000000002800000-memory.dmp

Filesize
256KB

Download
memory/984-76-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/984-84-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/984-82-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/984-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/984-80-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/984-78-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/984-77-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/984-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1340-59-0x0000000005660000-0x00000000056DA000-memory.dmp

Filesize
488KB

Download
memory/1340-72-0x0000000001120000-0x0000000001164000-memory.dmp

Filesize
272KB

Download
memory/1340-54-0x0000000001160000-0x0000000001216000-memory.dmp

Filesize
728KB

Download
memory/1340-58-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/1340-57-0x0000000000370000-0x00000000003B0000-memory.dmp

Filesize
256KB

Download
memory/1340-56-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1340-55-0x0000000000370000-0x00000000003B0000-memory.dmp

Filesize
256KB

Download
memory/1496-75-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads