snakekeylogger | f547ec43a3052eff8afc3e21f6fd0915c60cb967af4c8db1e7d9a9cf4fa7de88

General

Target

PXU422.exe
Size

753KB
MD5

6a6816bc6f0c4e9da9f8b5ed0863eed1
SHA1

56d2c76029c5d2036a697f2b9f1e5f9564f7c2ee
SHA256

a278b60ab0bd9823527c0d86509a3a5f31f107e4f8e70761cd62395e27738a0f
SHA512

ad7830f9a85858ce057832611527fddd4d6bc0ad0a01a1d6dd362fd360ef354f405a627d123aba42987e4cdffc1b36a4940e4ec59c1df43e8394f5fe2cf56b4e
SSDEEP

12288:rKewx/NscEQ+vgXK1Hsa+cmKo1W5qlp1HoADehqfx7b5w4JC2Off03i0mMRry8B+:eewlqB6p5pKosquA0a7C4JCan9y8Ae5Q

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
siamtmc.com
Port:
587
Username:
[email protected]
Password:
s0mp0ng06

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
siamtmc.com
Port:
587
Username:
[email protected]
Password:
s0mp0ng06
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

resource	yara_rule
behavioral1/memory/1836-68-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1836-69-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1836-71-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1836-73-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1836-75-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1108-78-0x00000000025E0000-0x0000000002620000-memory.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PXU422.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PXU422.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PXU422.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 1836	1808	PXU422.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1808	PXU422.exe
1808	PXU422.exe
1836	PXU422.exe
1108	powershell.exe
1836	PXU422.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1808	PXU422.exe
Token: SeDebugPrivilege	1836	PXU422.exe
Token: SeDebugPrivilege	1108	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1108	1808	PXU422.exe	28
PID 1808 wrote to memory of 1108	1808	PXU422.exe	28
PID 1808 wrote to memory of 1108	1808	PXU422.exe	28
PID 1808 wrote to memory of 1108	1808	PXU422.exe	28
PID 1808 wrote to memory of 676	1808	PXU422.exe	30
PID 1808 wrote to memory of 676	1808	PXU422.exe	30
PID 1808 wrote to memory of 676	1808	PXU422.exe	30
PID 1808 wrote to memory of 676	1808	PXU422.exe	30
PID 1808 wrote to memory of 1836	1808	PXU422.exe	32
PID 1808 wrote to memory of 1836	1808	PXU422.exe	32
PID 1808 wrote to memory of 1836	1808	PXU422.exe	32
PID 1808 wrote to memory of 1836	1808	PXU422.exe	32
PID 1808 wrote to memory of 1836	1808	PXU422.exe	32
PID 1808 wrote to memory of 1836	1808	PXU422.exe	32
PID 1808 wrote to memory of 1836	1808	PXU422.exe	32
PID 1808 wrote to memory of 1836	1808	PXU422.exe	32
PID 1808 wrote to memory of 1836	1808	PXU422.exe	32

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PXU422.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PXU422.exe

C:\Users\Admin\AppData\Local\Temp\PXU422.exe
"C:\Users\Admin\AppData\Local\Temp\PXU422.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pEtRWDrPAr.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pEtRWDrPAr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE2B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:676
- C:\Users\Admin\AppData\Local\Temp\PXU422.exe
  "C:\Users\Admin\AppData\Local\Temp\PXU422.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAE2B.tmp

Filesize
1KB

MD5
fe945568af318ca53a0c51ead130c658

SHA1
feccc5f64d4e6edd3f5ee8ae722cc95a3ccafeae

SHA256
6ab0dfab0a6f09615fd55cd3c052718a26f56d893c5bdac89e534700ca1e9c87

SHA512
b36788ca6e3e9f180bf0ea3296565c185ad06c50eafed9c1f2291c14a857b7f636f0b03ade126ae6a159ccb177a04fa5410c94647232f528e45f3294a0516e21

Download Submit
memory/1108-78-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1808-55-0x00000000042E0000-0x0000000004320000-memory.dmp

Filesize
256KB

Download
memory/1808-56-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/1808-57-0x00000000042E0000-0x0000000004320000-memory.dmp

Filesize
256KB

Download
memory/1808-58-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/1808-59-0x00000000053A0000-0x000000000541E000-memory.dmp

Filesize
504KB

Download
memory/1808-65-0x0000000004D70000-0x0000000004DB8000-memory.dmp

Filesize
288KB

Download
memory/1808-54-0x00000000008D0000-0x0000000000992000-memory.dmp

Filesize
776KB

Download
memory/1836-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1836-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1836-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1836-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1836-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1836-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1836-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1836-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1836-79-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads