snakekeylogger | 7f01e18e55c703b1a21ec0f57483da3de9d5565ce3e440028d40cf553977a101

General

Target

Shipping Documents.pdf.exe
Size

955KB
MD5

942bae42d55b0f96f3b71d4615ceade1
SHA1

ab228e994517f9172791fc811af5c7d97feeb62b
SHA256

7f01e18e55c703b1a21ec0f57483da3de9d5565ce3e440028d40cf553977a101
SHA512

f0ff10f52c474157bf5d53673ec929d67aee9cf325e97cc53800e2cd0ec2e2fabe7662c9d8b5d86f08bb4444d201e5ea0e45a79946faa0c28b05703d96beb205
SSDEEP

12288:hxBk76hehkkhj63DlY7E3RbHN1Hn9+xUkU07O8R:hxuvXj6h3RN1HfkF7n

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5869504375:AAFm1Z7IkZTyjASpoFpmokA0jISwF8dTPE0/sendMessage?chat_id=6033043077

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/388-74-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/388-75-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/388-77-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/388-79-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/388-81-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 388	864	Shipping Documents.pdf.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
388	Shipping Documents.pdf.exe
588	powershell.exe
780	powershell.exe
388	Shipping Documents.pdf.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	Shipping Documents.pdf.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 588	864	Shipping Documents.pdf.exe	28
PID 864 wrote to memory of 588	864	Shipping Documents.pdf.exe	28
PID 864 wrote to memory of 588	864	Shipping Documents.pdf.exe	28
PID 864 wrote to memory of 588	864	Shipping Documents.pdf.exe	28
PID 864 wrote to memory of 780	864	Shipping Documents.pdf.exe	30
PID 864 wrote to memory of 780	864	Shipping Documents.pdf.exe	30
PID 864 wrote to memory of 780	864	Shipping Documents.pdf.exe	30
PID 864 wrote to memory of 780	864	Shipping Documents.pdf.exe	30
PID 864 wrote to memory of 320	864	Shipping Documents.pdf.exe	32
PID 864 wrote to memory of 320	864	Shipping Documents.pdf.exe	32
PID 864 wrote to memory of 320	864	Shipping Documents.pdf.exe	32
PID 864 wrote to memory of 320	864	Shipping Documents.pdf.exe	32
PID 864 wrote to memory of 388	864	Shipping Documents.pdf.exe	34
PID 864 wrote to memory of 388	864	Shipping Documents.pdf.exe	34
PID 864 wrote to memory of 388	864	Shipping Documents.pdf.exe	34
PID 864 wrote to memory of 388	864	Shipping Documents.pdf.exe	34
PID 864 wrote to memory of 388	864	Shipping Documents.pdf.exe	34
PID 864 wrote to memory of 388	864	Shipping Documents.pdf.exe	34
PID 864 wrote to memory of 388	864	Shipping Documents.pdf.exe	34
PID 864 wrote to memory of 388	864	Shipping Documents.pdf.exe	34
PID 864 wrote to memory of 388	864	Shipping Documents.pdf.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipping Documents.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QTgIqHSWvlZhX.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QTgIqHSWvlZhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB701.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:320
- C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.pdf.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB701.tmp

Filesize
1KB

MD5
1e2e9ad0a60f7de08240dc5077847681

SHA1
bf170144e62bf47552f97bd05fcd279c7e822db5

SHA256
9c7bc8a515daeec5f521e8046085624a3a21ddabbb262671c7a8f38aae6d8540

SHA512
9466815f9b2086541f12413cad1f254cccc8383487858e1cc223d220cc27d03ffa67ff7ebf9a3fe71a62fe169d72643f538fc4d6f7185fd89491d2df6e0adcb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7C7U4Q7VN1U8YH4GWZJC.temp

Filesize
7KB

MD5
97897476d1b75f66d6c51976048b1da2

SHA1
266dc4b64932ee02fc9035bd9bf65e72921a6c89

SHA256
05ffdf194eb496b9daf5d72529ddaf15ab47e110bbd08ba7fd00b026768f0ebe

SHA512
a72db162399e1a401ea4a7772259699d6f6d776850bd1752a047e4d5e755c01d065ab6d148e8136ceb0e8e8307cc4c24a956eeccd9b96e2d09ebf3a0656e0e19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
97897476d1b75f66d6c51976048b1da2

SHA1
266dc4b64932ee02fc9035bd9bf65e72921a6c89

SHA256
05ffdf194eb496b9daf5d72529ddaf15ab47e110bbd08ba7fd00b026768f0ebe

SHA512
a72db162399e1a401ea4a7772259699d6f6d776850bd1752a047e4d5e755c01d065ab6d148e8136ceb0e8e8307cc4c24a956eeccd9b96e2d09ebf3a0656e0e19

Download Submit
memory/388-79-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/388-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/388-77-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/388-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/388-75-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/388-74-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/388-72-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/388-73-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/588-82-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/780-83-0x0000000000480000-0x00000000004C0000-memory.dmp

Filesize
256KB

Download
memory/780-84-0x0000000000480000-0x00000000004C0000-memory.dmp

Filesize
256KB

Download
memory/864-55-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/864-56-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/864-57-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/864-59-0x00000000057C0000-0x0000000005820000-memory.dmp

Filesize
384KB

Download
memory/864-54-0x0000000001010000-0x0000000001106000-memory.dmp

Filesize
984KB

Download
memory/864-58-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads