snakekeylogger | dc9a1f9a6534e1fb2a7cdd410b0d94b8a55eebef7f26302f358c2f715fe3d30e

Analysis

max time kernel
136s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2023, 08:48

Target

3f1101fc46386a1a429d486be5d8bae3.exe
Size

365KB
MD5

3f1101fc46386a1a429d486be5d8bae3
SHA1

b7654e3c896f147d1849749e9fce418be7b28859
SHA256

dc9a1f9a6534e1fb2a7cdd410b0d94b8a55eebef7f26302f358c2f715fe3d30e
SHA512

b6ac741b5af7994bf84d9e5c20e4f0f800390792fbee11dda68ff0139fe9c4c32fe83ceb198393d976673de53abd6c07414014a9fa55c036716d358ebe877759
SSDEEP

6144:mDW5mfXMetOQbuRZCewRjdcxxyZkUHtl73LpsgrpeXbDIIPPCUMFulS+42:t5m/XOQyRZgdcxxyZb3LpfbEnlS+42

Score

10^/10

Family

snakekeylogger

Credentials

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/3368-142-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 3368	2448	3f1101fc46386a1a429d486be5d8bae3.exe	93

Program crash 1 IoCs

pid	pid_target	Process	procid_target
396	3368	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3368	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 3368	2448	3f1101fc46386a1a429d486be5d8bae3.exe	93
PID 2448 wrote to memory of 3368	2448	3f1101fc46386a1a429d486be5d8bae3.exe	93
PID 2448 wrote to memory of 3368	2448	3f1101fc46386a1a429d486be5d8bae3.exe	93
PID 2448 wrote to memory of 3368	2448	3f1101fc46386a1a429d486be5d8bae3.exe	93
PID 2448 wrote to memory of 3368	2448	3f1101fc46386a1a429d486be5d8bae3.exe	93
PID 2448 wrote to memory of 3368	2448	3f1101fc46386a1a429d486be5d8bae3.exe	93
PID 2448 wrote to memory of 3368	2448	3f1101fc46386a1a429d486be5d8bae3.exe	93
PID 2448 wrote to memory of 3368	2448	3f1101fc46386a1a429d486be5d8bae3.exe	93

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3368 -ip 3368
1⤵
PID:2244

memory/2448-139-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2448-145-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2448-135-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/2448-136-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/2448-137-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/2448-138-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/2448-141-0x0000000006CF0000-0x0000000006D8C000-memory.dmp

Filesize
624KB

Download
memory/2448-133-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2448-134-0x00000000009E0000-0x0000000000A42000-memory.dmp

Filesize
392KB

Download
memory/2448-140-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/3368-146-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/3368-144-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3368-142-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3368-147-0x0000000075320000-0x0000000075AD0000-memory.dmp

Filesize
7.7MB

Download