snakekeylogger | 240425b2812962dbb4faa0bf79741dca873efdfbd03a1edfd6dfbafb573b1353

General

Target

DOCUMENT.exe
Size

400.0MB
MD5

e2638e646b62a210e138adacb551d0b3
SHA1

08c84305ad48439626e5a15a49f639714c61cf0b
SHA256

1b82db028a2e3cfd34f3e2eec873da2e87e458b36581bebca0bc04a8d7f60aba
SHA512

92d3f246e4dd908c583216815f3f9e421172d270b26c2a7a592c135b7876fcc6075ba741621f428be4cce664e7071475745dd510fdc6e479d81053acae9944bd
SSDEEP

12288:E7FAPAQo3JU1HYIywtfeWUV/fzQjfqlvmTCNwmrYn5n+wuPrhSa:E76QZUk4Uh78g+ONwiYn5nCroa

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.product-secured.com
Port:
21
Username:
[email protected]
Password:
2V8SHFwjad34@@##

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://ftp.product-secured.com/
Port:
21
Username:
[email protected]
Password:
2V8SHFwjad34@@##

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4968-7-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DOCUMENT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	DOCUMENT.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

4500 svchost.exe
4368 svchost.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4500	svchost.exe
4368	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

DOCUMENT.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT.exe
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOCUMENT.exe

description pid process target process

PID 2780 set thread context of 4968 2780 DOCUMENT.exe DOCUMENT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2456 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DOCUMENT.exe

pid process

4968 DOCUMENT.exe
4968 DOCUMENT.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DOCUMENT.exe

description pid process

Token: SeDebugPrivilege 4968 DOCUMENT.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DOCUMENT.exe

pid process

4968 DOCUMENT.exe

flow	ioc
47	checkip.dyndns.org

description	pid	process	target process
PID 2780 set thread context of 4968	2780	DOCUMENT.exe	DOCUMENT.exe

pid	process
2456	schtasks.exe

pid	process
4968	DOCUMENT.exe
4968	DOCUMENT.exe

description	pid	process
Token: SeDebugPrivilege	4968	DOCUMENT.exe

pid	process
4968	DOCUMENT.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

DOCUMENT.execmd.exe

description	pid	process	target process
PID 2780 wrote to memory of 4968	2780	DOCUMENT.exe	DOCUMENT.exe
PID 2780 wrote to memory of 4968	2780	DOCUMENT.exe	DOCUMENT.exe
PID 2780 wrote to memory of 4968	2780	DOCUMENT.exe	DOCUMENT.exe
PID 2780 wrote to memory of 4968	2780	DOCUMENT.exe	DOCUMENT.exe
PID 2780 wrote to memory of 4968	2780	DOCUMENT.exe	DOCUMENT.exe
PID 2780 wrote to memory of 4968	2780	DOCUMENT.exe	DOCUMENT.exe
PID 2780 wrote to memory of 4968	2780	DOCUMENT.exe	DOCUMENT.exe
PID 2780 wrote to memory of 4968	2780	DOCUMENT.exe	DOCUMENT.exe
PID 2780 wrote to memory of 4500	2780	DOCUMENT.exe	svchost.exe
PID 2780 wrote to memory of 4500	2780	DOCUMENT.exe	svchost.exe
PID 2780 wrote to memory of 4500	2780	DOCUMENT.exe	svchost.exe
PID 2780 wrote to memory of 4144	2780	DOCUMENT.exe	cmd.exe
PID 2780 wrote to memory of 4144	2780	DOCUMENT.exe	cmd.exe
PID 2780 wrote to memory of 4144	2780	DOCUMENT.exe	cmd.exe
PID 2780 wrote to memory of 3152	2780	DOCUMENT.exe	cmd.exe
PID 2780 wrote to memory of 3152	2780	DOCUMENT.exe	cmd.exe
PID 2780 wrote to memory of 3152	2780	DOCUMENT.exe	cmd.exe
PID 2780 wrote to memory of 3308	2780	DOCUMENT.exe	cmd.exe
PID 2780 wrote to memory of 3308	2780	DOCUMENT.exe	cmd.exe
PID 2780 wrote to memory of 3308	2780	DOCUMENT.exe	cmd.exe
PID 3152 wrote to memory of 2456	3152	cmd.exe	schtasks.exe
PID 3152 wrote to memory of 2456	3152	cmd.exe	schtasks.exe
PID 3152 wrote to memory of 2456	3152	cmd.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

DOCUMENT.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT.exe

outlook_win_path 1 IoCs

Processes:

DOCUMENT.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4968

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:4500

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2456

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:4144

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
401KB

MD5
deba7b69f10f006b43b174d40e7094b7

SHA1
ebec55598c21a17daf9aad948168bfa2d71c960d

SHA256
cac89ee424be23bfb4784ffdbf398746e5b82e8eb800586441694e7e15afae14

SHA512
0b78bd2fab64417727d01e296df1264611572e6557cfa4a93bca957e664f5eb3fb51d680688f5b61147d6b2a2841f5222f7360ec1fc7499b8f88501f46189c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
401KB

MD5
deba7b69f10f006b43b174d40e7094b7

SHA1
ebec55598c21a17daf9aad948168bfa2d71c960d

SHA256
cac89ee424be23bfb4784ffdbf398746e5b82e8eb800586441694e7e15afae14

SHA512
0b78bd2fab64417727d01e296df1264611572e6557cfa4a93bca957e664f5eb3fb51d680688f5b61147d6b2a2841f5222f7360ec1fc7499b8f88501f46189c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
401KB

MD5
deba7b69f10f006b43b174d40e7094b7

SHA1
ebec55598c21a17daf9aad948168bfa2d71c960d

SHA256
cac89ee424be23bfb4784ffdbf398746e5b82e8eb800586441694e7e15afae14

SHA512
0b78bd2fab64417727d01e296df1264611572e6557cfa4a93bca957e664f5eb3fb51d680688f5b61147d6b2a2841f5222f7360ec1fc7499b8f88501f46189c2a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
256KB

MD5
dd044277b130d28e7c3048a2ccfed983

SHA1
96b78f716d8c0ba24cf82cb3ef044e11f40b5124

SHA256
969d92769b77c7a8b56b94c0aec68e39aca1531d67ed9ad6600b4598430bb86b

SHA512
d36fd762890a3e88820e9bcc52367cf927c9f0b5248f8562cb7dea2e99d3b02158575b221b090709a31549d8fc90302d58d954897f6357465aaad2d9b13fa56b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
335KB

MD5
b0020c87478c9f63bfba85c7ed00013c

SHA1
686f7f8c5b6e13c7f9516662e153f6f259bd1b2f

SHA256
eaeea0396da04804b53d8886c3718ecae1687577e6601a6c85529b599aa40f1c

SHA512
42cb2e4e7f82a9181a4c8ee7e44b0430f7692dfa1be50f175b31af55693bf49321988d5db181ad44b9abf9731dc99ba5e2b75ce3a0e9b65a911abcd25af36f69

Download Submit
memory/2780-6-0x0000000005AB0000-0x0000000005B58000-memory.dmp

Filesize
672KB

Download
memory/2780-25-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/2780-0-0x0000000000D60000-0x0000000000E48000-memory.dmp

Filesize
928KB

Download
memory/2780-2-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/2780-1-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/2780-3-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2780-5-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/2780-4-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4500-33-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4500-22-0x00000000004B0000-0x000000000051A000-memory.dmp

Filesize
424KB

Download
memory/4500-24-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4968-10-0x0000000004F90000-0x000000000502C000-memory.dmp

Filesize
624KB

Download
memory/4968-28-0x0000000006280000-0x00000000062D0000-memory.dmp

Filesize
320KB

Download
memory/4968-29-0x00000000064A0000-0x0000000006662000-memory.dmp

Filesize
1.8MB

Download
memory/4968-30-0x0000000006670000-0x0000000006702000-memory.dmp

Filesize
584KB

Download
memory/4968-31-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4968-32-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4968-11-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4968-34-0x0000000006A60000-0x0000000006A6A000-memory.dmp

Filesize
40KB

Download
memory/4968-35-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4968-9-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4968-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads