snakekeylogger | dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6

General

Target

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
Size

822KB
MD5

7db30eacb2aafcd1c57d4cf6b314ca71
SHA1

784c19294b0348258632cdacb23927063f0f7ad8
SHA256

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6
SHA512

985bba196e18696cbe5cb06f03416f2f6b839ebdfd32ac9d4b316cbf32fa7231c5f0e6deeb84ab5271a156c35b5c04295b670dacbe8ef1b477586b0205e5baf5
SSDEEP

12288:91FckahW3INm7sW2ndLQJfVDb0xPkh7g9tO01ehCt6+5wVZaNY:VcDh/m7sPdLQ9VH0xPu7g9n1z6+iuY

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.product-secured.com
Port:
21
Username:
[email protected]
Password:
2V8SHFwjad34@@##

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://ftp.product-secured.com/
Port:
21
Username:
[email protected]
Password:
2V8SHFwjad34@@##

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1264-7-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2464 svchost.exe
4792 svchost.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2464	svchost.exe
4792	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

88 checkip.dyndns.org

flow	ioc
88	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

description	pid	process	target process
PID 4676 set thread context of 1264	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5092 schtasks.exe

pid	process
5092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

pid	process
1264	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
1264	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

description pid process

Token: SeDebugPrivilege 1264 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

pid process

1264 dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

description	pid	process
Token: SeDebugPrivilege	1264	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.execmd.exe

description	pid	process	target process
PID 4676 wrote to memory of 1264	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
PID 4676 wrote to memory of 1264	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
PID 4676 wrote to memory of 1264	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
PID 4676 wrote to memory of 1264	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
PID 4676 wrote to memory of 1264	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
PID 4676 wrote to memory of 1264	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
PID 4676 wrote to memory of 1264	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
PID 4676 wrote to memory of 1264	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
PID 4676 wrote to memory of 2464	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	svchost.exe
PID 4676 wrote to memory of 2464	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	svchost.exe
PID 4676 wrote to memory of 2464	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	svchost.exe
PID 4676 wrote to memory of 3200	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	cmd.exe
PID 4676 wrote to memory of 3200	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	cmd.exe
PID 4676 wrote to memory of 3200	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	cmd.exe
PID 4676 wrote to memory of 2416	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	cmd.exe
PID 4676 wrote to memory of 2416	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	cmd.exe
PID 4676 wrote to memory of 2416	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	cmd.exe
PID 4676 wrote to memory of 3728	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	cmd.exe
PID 4676 wrote to memory of 3728	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	cmd.exe
PID 4676 wrote to memory of 3728	4676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe	cmd.exe
PID 2416 wrote to memory of 5092	2416	cmd.exe	schtasks.exe
PID 2416 wrote to memory of 5092	2416	cmd.exe	schtasks.exe
PID 2416 wrote to memory of 5092	2416	cmd.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

outlook_win_path 1 IoCs

Processes:

dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe

C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
"C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4676

C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe
"C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1264

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:2464

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\dfe21dcd3c319fbb88566950ad3cd104f0e76c50200687b8906975c9cdd5aee6_JC.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5092

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:3200

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
621KB

MD5
ed9d91fe584d5109d4067734ac452753

SHA1
c277e57866833509d94787fc6f4d634a2714825d

SHA256
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030

SHA512
a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
621KB

MD5
ed9d91fe584d5109d4067734ac452753

SHA1
c277e57866833509d94787fc6f4d634a2714825d

SHA256
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030

SHA512
a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
621KB

MD5
ed9d91fe584d5109d4067734ac452753

SHA1
c277e57866833509d94787fc6f4d634a2714825d

SHA256
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030

SHA512
a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
640KB

MD5
4c7d04034c8804cf8111355c280c2c4a

SHA1
3d2eeec6b9fe4e883f209528d5451c751845dee1

SHA256
850e103f57f3070b054469bad33065162dd31eab920e68e7629a1cd2764d3acd

SHA512
2ca0d34dfdeace1090cc086cfa4a9b1b494dddad33f60d9b811ded10cd398a114e3abcba89f8b97dafde4acc35880ad440fd0e621009616a3324269e529b8c33

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1264-29-0x0000000006BC0000-0x0000000006D82000-memory.dmp

Filesize
1.8MB

Download
memory/1264-34-0x0000000007060000-0x000000000706A000-memory.dmp

Filesize
40KB

Download
memory/1264-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1264-9-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/1264-10-0x00000000057F0000-0x000000000588C000-memory.dmp

Filesize
624KB

Download
memory/1264-11-0x0000000005AF0000-0x0000000005B00000-memory.dmp

Filesize
64KB

Download
memory/1264-35-0x0000000005AF0000-0x0000000005B00000-memory.dmp

Filesize
64KB

Download
memory/1264-30-0x0000000006D90000-0x0000000006E22000-memory.dmp

Filesize
584KB

Download
memory/1264-31-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/1264-28-0x00000000069A0000-0x00000000069F0000-memory.dmp

Filesize
320KB

Download
memory/1264-32-0x0000000005AF0000-0x0000000005B00000-memory.dmp

Filesize
64KB

Download
memory/2464-33-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/2464-24-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/2464-22-0x0000000000040000-0x00000000000E2000-memory.dmp

Filesize
648KB

Download
memory/4676-5-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4676-0-0x0000000000B70000-0x0000000000C42000-memory.dmp

Filesize
840KB

Download
memory/4676-3-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4676-25-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4676-4-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download
memory/4676-6-0x00000000058B0000-0x0000000005990000-memory.dmp

Filesize
896KB

Download
memory/4676-2-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/4676-1-0x00000000743E0000-0x0000000074B90000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads