snakekeylogger | bde75e5a73df3ef95e72fd79905f718427f70945166bbf8558f9e84b3605abaa

General

Target

INVOICE.exe
Size

572KB
MD5

1457e577596abbbe8fa4e98e2fece1da
SHA1

7817268b3b29232cd8dc35ced850f60867f9e24d
SHA256

bde75e5a73df3ef95e72fd79905f718427f70945166bbf8558f9e84b3605abaa
SHA512

2b9b7f57b9be93d98c5b2d0444caffa81ce8161884328b4d38299017d3348d1b145b4ccc890d4238aff58f13b6410c749537c5bd76f7cfc1d4c594f2f47d0dc6
SSDEEP

12288:7n2iNxQPYsPEiLHEm/YZYg8p+9bhr4zZsdU:b12YsciLHFYmM9bhRd

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
silverkeyinternational.com
Port:
25
Username:
[email protected]
Password:
Key@2022

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/780-67-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/780-68-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/780-70-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/780-74-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/780-72-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INVOICE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INVOICE.exe
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INVOICE.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 780	2036	INVOICE.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2036	INVOICE.exe
2036	INVOICE.exe
780	INVOICE.exe
768	powershell.exe
780	INVOICE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	INVOICE.exe
Token: SeDebugPrivilege	780	INVOICE.exe
Token: SeDebugPrivilege	768	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 768	2036	INVOICE.exe	27
PID 2036 wrote to memory of 768	2036	INVOICE.exe	27
PID 2036 wrote to memory of 768	2036	INVOICE.exe	27
PID 2036 wrote to memory of 768	2036	INVOICE.exe	27
PID 2036 wrote to memory of 1400	2036	INVOICE.exe	29
PID 2036 wrote to memory of 1400	2036	INVOICE.exe	29
PID 2036 wrote to memory of 1400	2036	INVOICE.exe	29
PID 2036 wrote to memory of 1400	2036	INVOICE.exe	29
PID 2036 wrote to memory of 780	2036	INVOICE.exe	31
PID 2036 wrote to memory of 780	2036	INVOICE.exe	31
PID 2036 wrote to memory of 780	2036	INVOICE.exe	31
PID 2036 wrote to memory of 780	2036	INVOICE.exe	31
PID 2036 wrote to memory of 780	2036	INVOICE.exe	31
PID 2036 wrote to memory of 780	2036	INVOICE.exe	31
PID 2036 wrote to memory of 780	2036	INVOICE.exe	31
PID 2036 wrote to memory of 780	2036	INVOICE.exe	31
PID 2036 wrote to memory of 780	2036	INVOICE.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INVOICE.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3465915139-4244146034-2076118314-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	INVOICE.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GrsOwoPibU.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GrsOwoPibU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC469.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
  "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC469.tmp

Filesize
1KB

MD5
b510b8c7ae7cc263e3b0137b4b3448d9

SHA1
906650758f58f0e99af240f31a3c02aa5f15d3f4

SHA256
d092f21dc9c703f34fa142aa456c85d83518f08fc5c7e2922afb30d9e6f4389f

SHA512
6ce6fcfdb18eb883f0a1d1ae85202aba1048d53509d7e23278f5f3fb115e35609a1ba3935a72eabd6a541dd52ab87ca2f9a21bb875b8a31321c660dede83769d

Download Submit
memory/768-78-0x0000000002580000-0x00000000025C0000-memory.dmp

Filesize
256KB

Download
memory/780-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/780-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/780-77-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/780-72-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/780-74-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/780-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/780-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/780-65-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/780-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2036-56-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/2036-54-0x0000000001060000-0x00000000010F6000-memory.dmp

Filesize
600KB

Download
memory/2036-57-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2036-59-0x0000000005140000-0x00000000051A0000-memory.dmp

Filesize
384KB

Download
memory/2036-58-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2036-55-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads