snakekeylogger | dc9a1f9a6534e1fb2a7cdd410b0d94b8a55eebef7f26302f358c2f715fe3d30e

General

Target

3f1101fc46386a1a429d486be5d8bae3.exe
Size

365KB
MD5

3f1101fc46386a1a429d486be5d8bae3
SHA1

b7654e3c896f147d1849749e9fce418be7b28859
SHA256

dc9a1f9a6534e1fb2a7cdd410b0d94b8a55eebef7f26302f358c2f715fe3d30e
SHA512

b6ac741b5af7994bf84d9e5c20e4f0f800390792fbee11dda68ff0139fe9c4c32fe83ceb198393d976673de53abd6c07414014a9fa55c036716d358ebe877759
SSDEEP

6144:mDW5mfXMetOQbuRZCewRjdcxxyZkUHtl73LpsgrpeXbDIIPPCUMFulS+42:t5m/XOQyRZgdcxxyZb3LpfbEnlS+42

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.alroman.com
Port:
587
Username:
[email protected]
Password:
abc@24638
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

resource	yara_rule
behavioral1/memory/2108-63-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2108-64-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2108-67-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2108-69-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2108-72-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2108-74-0x00000000003A0000-0x00000000003E0000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2892	2108	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2108	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2388 wrote to memory of 2108	2388	3f1101fc46386a1a429d486be5d8bae3.exe	30
PID 2108 wrote to memory of 2892	2108	RegSvcs.exe	31
PID 2108 wrote to memory of 2892	2108	RegSvcs.exe	31
PID 2108 wrote to memory of 2892	2108	RegSvcs.exe	31
PID 2108 wrote to memory of 2892	2108	RegSvcs.exe	31

C:\Users\Admin\AppData\Local\Temp\3f1101fc46386a1a429d486be5d8bae3.exe
"C:\Users\Admin\AppData\Local\Temp\3f1101fc46386a1a429d486be5d8bae3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 972
    3⤵
    - Program crash
    PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2108-67-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2108-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-75-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2108-74-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2108-62-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2108-73-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2108-72-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2108-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2108-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2388-59-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/2388-54-0x0000000000050000-0x00000000000B2000-memory.dmp

Filesize
392KB

Download
memory/2388-70-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-57-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2388-55-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-60-0x0000000005120000-0x0000000005168000-memory.dmp

Filesize
288KB

Download
memory/2388-58-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-56-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing