snakekeylogger | 77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb

General

Target

docyo20230925.exe
Size

821KB
MD5

4eac3586289f9081f51432e739f3b240
SHA1

066a458315c10ba6aa827958ec79627007daccf6
SHA256

77fc980c2c8f9412e843d83cb4b808e7dfc9b459aaa7f1936b7d93bc7357bfbb
SHA512

bf3fff5ab21cd54a0774ba0b1a7d1a5f42b1f542888ac74d3f79d23df6fe535ea88ca4a6d74d3fc94caf01a371f679551436ecad233521f5fbedde42551b7ca8
SSDEEP

24576:1X5KAkazacwCw8RdFK0W3fDkqgy9nEsY:1X5KEacxdRLI3rkqpNQ

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.product-secured.com
Port:
21
Username:
[email protected]
Password:
2V8SHFwjad34@@##

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://ftp.product-secured.com/
Port:
21
Username:
[email protected]
Password:
2V8SHFwjad34@@##

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1312-7-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

docyo20230925.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	docyo20230925.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

3624 svchost.exe
2260 svchost.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3624	svchost.exe
2260	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

docyo20230925.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	docyo20230925.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	docyo20230925.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	docyo20230925.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

61 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

docyo20230925.exe

description pid process target process

PID 4484 set thread context of 1312 4484 docyo20230925.exe docyo20230925.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1496 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

docyo20230925.exe

pid process

1312 docyo20230925.exe
1312 docyo20230925.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

docyo20230925.exe

description pid process

Token: SeDebugPrivilege 1312 docyo20230925.exe

flow	ioc
61	checkip.dyndns.org

description	pid	process	target process
PID 4484 set thread context of 1312	4484	docyo20230925.exe	docyo20230925.exe

pid	process
1496	schtasks.exe

pid	process
1312	docyo20230925.exe
1312	docyo20230925.exe

description	pid	process
Token: SeDebugPrivilege	1312	docyo20230925.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

docyo20230925.execmd.exe

description	pid	process	target process
PID 4484 wrote to memory of 1312	4484	docyo20230925.exe	docyo20230925.exe
PID 4484 wrote to memory of 1312	4484	docyo20230925.exe	docyo20230925.exe
PID 4484 wrote to memory of 1312	4484	docyo20230925.exe	docyo20230925.exe
PID 4484 wrote to memory of 1312	4484	docyo20230925.exe	docyo20230925.exe
PID 4484 wrote to memory of 1312	4484	docyo20230925.exe	docyo20230925.exe
PID 4484 wrote to memory of 1312	4484	docyo20230925.exe	docyo20230925.exe
PID 4484 wrote to memory of 1312	4484	docyo20230925.exe	docyo20230925.exe
PID 4484 wrote to memory of 1312	4484	docyo20230925.exe	docyo20230925.exe
PID 4484 wrote to memory of 3624	4484	docyo20230925.exe	svchost.exe
PID 4484 wrote to memory of 3624	4484	docyo20230925.exe	svchost.exe
PID 4484 wrote to memory of 3624	4484	docyo20230925.exe	svchost.exe
PID 4484 wrote to memory of 4752	4484	docyo20230925.exe	cmd.exe
PID 4484 wrote to memory of 4752	4484	docyo20230925.exe	cmd.exe
PID 4484 wrote to memory of 4752	4484	docyo20230925.exe	cmd.exe
PID 4484 wrote to memory of 3028	4484	docyo20230925.exe	cmd.exe
PID 4484 wrote to memory of 3028	4484	docyo20230925.exe	cmd.exe
PID 4484 wrote to memory of 3028	4484	docyo20230925.exe	cmd.exe
PID 4484 wrote to memory of 2060	4484	docyo20230925.exe	cmd.exe
PID 4484 wrote to memory of 2060	4484	docyo20230925.exe	cmd.exe
PID 4484 wrote to memory of 2060	4484	docyo20230925.exe	cmd.exe
PID 3028 wrote to memory of 1496	3028	cmd.exe	schtasks.exe
PID 3028 wrote to memory of 1496	3028	cmd.exe	schtasks.exe
PID 3028 wrote to memory of 1496	3028	cmd.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

docyo20230925.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	docyo20230925.exe

outlook_win_path 1 IoCs

Processes:

docyo20230925.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	docyo20230925.exe

C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe
"C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe
"C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1312

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:3624

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\docyo20230925.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:2060

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1496

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:4752

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
621KB

MD5
ed9d91fe584d5109d4067734ac452753

SHA1
c277e57866833509d94787fc6f4d634a2714825d

SHA256
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030

SHA512
a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
621KB

MD5
ed9d91fe584d5109d4067734ac452753

SHA1
c277e57866833509d94787fc6f4d634a2714825d

SHA256
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030

SHA512
a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
621KB

MD5
ed9d91fe584d5109d4067734ac452753

SHA1
c277e57866833509d94787fc6f4d634a2714825d

SHA256
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030

SHA512
a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
613KB

MD5
f4e556f1dffa3a36462980cb4b371368

SHA1
40e3ef999ec3e341a485d468546c0f2ebbf263c2

SHA256
c04633b52d49e637cd87f69ab3bbfd267814581a2d02e744bf3ee7d446fc5e86

SHA512
028fec16c25c4467700c84aea52aee642500d2abfe1a85ad808eceeb6e52db1b5d244e5f22b42fdc19ed3b7825587bbd27f3475969b9f22463ceaa5d2b1e0d65

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
128KB

MD5
e0d5226471df8918d08487ce35777f92

SHA1
89154cdb77d835c0b128805f65a457e7c0c471ec

SHA256
825afa9749529a746ee8d77feffbe5389dfed351ac0813e6b2a950416dfef6fb

SHA512
761c03393e8d6bb21709810f5429663993a167d63eb857870bd3aa71dd38f446154326e5ffa6e7e9b1ca39f7f74cba49796372d60f39c17a61bd224ec1e4bbe1

Download Submit
memory/1312-30-0x0000000006E60000-0x0000000006EF2000-memory.dmp

Filesize
584KB

Download
memory/1312-29-0x0000000006C90000-0x0000000006E52000-memory.dmp

Filesize
1.8MB

Download
memory/1312-28-0x0000000006A70000-0x0000000006AC0000-memory.dmp

Filesize
320KB

Download
memory/1312-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1312-9-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/1312-10-0x0000000005720000-0x00000000057BC000-memory.dmp

Filesize
624KB

Download
memory/1312-11-0x0000000005AF0000-0x0000000005B00000-memory.dmp

Filesize
64KB

Download
memory/3624-23-0x0000000000140000-0x00000000001E2000-memory.dmp

Filesize
648KB

Download
memory/3624-24-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4484-6-0x0000000005550000-0x0000000005630000-memory.dmp

Filesize
896KB

Download
memory/4484-0-0x0000000000930000-0x0000000000A02000-memory.dmp

Filesize
840KB

Download
memory/4484-25-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4484-5-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/4484-4-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download
memory/4484-3-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/4484-2-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/4484-1-0x0000000074A90000-0x0000000075240000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads