snakekeylogger | 6076d3956e79dc8752564da23a3dfa0100509b647128e82552bd234e5fa61ae8

General

Target

Payment for MAWB NO 297-8450-7231 TT.exe
Size

1014KB
MD5

098024da9b3784a0b27f64db4f2a2f36
SHA1

93fae08652dcc71457988ac2f9726963974a40d4
SHA256

6076d3956e79dc8752564da23a3dfa0100509b647128e82552bd234e5fa61ae8
SHA512

0a6a9418c99583b46290a725bd7ccabc0995eb8f5a948835905fea5efd516f0801a4c3c48ed74afcc874a709106c09871c46066280dfcafd669ca3d8d1f07f65
SSDEEP

24576:wF2/4lUw/FGjVKfW5BMqUE53nTOHh1NLof7G7:wF2/ei0WAdwqHh1N0TG

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
25
Username:
triihope931@gmail.com
Password:
iebtzpacgzyullvo

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1752-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1752-71-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1752-73-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1752-75-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1752-77-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1752-78-0x0000000004A90000-0x0000000004AD0000-memory.dmp	family_snakekeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment for MAWB NO 297-8450-7231 TT.exe

description pid process target process

PID 2040 set thread context of 1752 2040 Payment for MAWB NO 297-8450-7231 TT.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

760 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Payment for MAWB NO 297-8450-7231 TT.exeRegSvcs.exepowershell.exe

pid process

2040 Payment for MAWB NO 297-8450-7231 TT.exe
2040 Payment for MAWB NO 297-8450-7231 TT.exe
1752 RegSvcs.exe
1292 powershell.exe
1752 RegSvcs.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 2040 set thread context of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe

pid	process
760	schtasks.exe

pid	process
2040	Payment for MAWB NO 297-8450-7231 TT.exe
2040	Payment for MAWB NO 297-8450-7231 TT.exe
1752	RegSvcs.exe
1292	powershell.exe
1752	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment for MAWB NO 297-8450-7231 TT.exeRegSvcs.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2040	Payment for MAWB NO 297-8450-7231 TT.exe
Token: SeDebugPrivilege	1752	RegSvcs.exe
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Payment for MAWB NO 297-8450-7231 TT.exe

description	pid	process	target process
PID 2040 wrote to memory of 1292	2040	Payment for MAWB NO 297-8450-7231 TT.exe	powershell.exe
PID 2040 wrote to memory of 1292	2040	Payment for MAWB NO 297-8450-7231 TT.exe	powershell.exe
PID 2040 wrote to memory of 1292	2040	Payment for MAWB NO 297-8450-7231 TT.exe	powershell.exe
PID 2040 wrote to memory of 1292	2040	Payment for MAWB NO 297-8450-7231 TT.exe	powershell.exe
PID 2040 wrote to memory of 760	2040	Payment for MAWB NO 297-8450-7231 TT.exe	schtasks.exe
PID 2040 wrote to memory of 760	2040	Payment for MAWB NO 297-8450-7231 TT.exe	schtasks.exe
PID 2040 wrote to memory of 760	2040	Payment for MAWB NO 297-8450-7231 TT.exe	schtasks.exe
PID 2040 wrote to memory of 760	2040	Payment for MAWB NO 297-8450-7231 TT.exe	schtasks.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe
PID 2040 wrote to memory of 1752	2040	Payment for MAWB NO 297-8450-7231 TT.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Payment for MAWB NO 297-8450-7231 TT.exe
"C:\Users\Admin\AppData\Local\Temp\Payment for MAWB NO 297-8450-7231 TT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JPGFYeOdJLLf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JPGFYeOdJLLf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF24.tmp"
2⤵
- Creates scheduled task(s)
PID:760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAF24.tmp
Filesize
1KB

MD5
9bdcda3b5b9a4384bb58e77d1dfb8de0

SHA1
7be68de7b182fce8fefdde9c133dd282d6fd1dc8

SHA256
afc5e4b1763e03dfd5ce1642fe6ddb014188fefbee6add448653c78a6a1902f1

SHA512
551a3ee26b3def8915cfe04bc0183bf5c707e16f9d7f128c11c22f4a60801feeb41b5ad2930ba8ae8f7c4e88add98295f3d97299757ff3d0a5e62e5b52bc08e0

Download Submit
memory/1292-80-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1292-79-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1752-77-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1752-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1752-81-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/1752-78-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/1752-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1752-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1752-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1752-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1752-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1752-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2040-58-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2040-65-0x0000000008050000-0x00000000080C4000-memory.dmp

Filesize
464KB

Download
memory/2040-54-0x0000000000FC0000-0x00000000010C4000-memory.dmp

Filesize
1.0MB

Download
memory/2040-57-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2040-56-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2040-55-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/2040-59-0x0000000007F50000-0x0000000007FFC000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads