snakekeylogger | f2d0ccfeeee010d03dbd6ccabf18e33fd6de842be318b5a800ad7793848ea410

General

Target

Purchase Order 0156070.PDF.exe
Size

585KB
MD5

536a5ff0f223a0ce1fa5601624a91f1c
SHA1

e785ec6acb47820681a2047388d3aa4c3f008e7d
SHA256

f2d0ccfeeee010d03dbd6ccabf18e33fd6de842be318b5a800ad7793848ea410
SHA512

0bbd1eda03d8302d73d12dfeb85cd2470ec2a3217098305e7c7f1385e2cf89ac1dc884c9f1997075f7d61cd01b82a98ade1c6b3080821e4801fcea0ea749ada0
SSDEEP

12288:fTdYX9KMtD/F3LjRULYFVbVmk8mADwrbTeLKZk7WW5Z:GtRtDd3LlULUVbVmpmIwrHd0WW5

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.ksline.com.my
Port:
587
Username:
[email protected]
Password:
ksline1410$$
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2556-12-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2556-14-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2556-18-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2556-20-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2556-22-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2556-25-0x0000000004920000-0x0000000004960000-memory.dmp	family_snakekeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order 0156070.PDF.exe

description pid process target process

PID 2668 set thread context of 2556 2668 Purchase Order 0156070.PDF.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Purchase Order 0156070.PDF.exeRegSvcs.exe

pid process

2668 Purchase Order 0156070.PDF.exe
2668 Purchase Order 0156070.PDF.exe
2556 RegSvcs.exe
2556 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order 0156070.PDF.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2668 Purchase Order 0156070.PDF.exe
Token: SeDebugPrivilege 2556 RegSvcs.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 2668 set thread context of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe

pid	process
2668	Purchase Order 0156070.PDF.exe
2668	Purchase Order 0156070.PDF.exe
2556	RegSvcs.exe
2556	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2668	Purchase Order 0156070.PDF.exe
Token: SeDebugPrivilege	2556	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Purchase Order 0156070.PDF.exe

description	pid	process	target process
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe
PID 2668 wrote to memory of 2556	2668	Purchase Order 0156070.PDF.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order 0156070.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order 0156070.PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2556-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2556-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-27-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2556-26-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-24-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-25-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2556-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2668-4-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-3-0x0000000000720000-0x000000000073C000-memory.dmp

Filesize
112KB

Download
memory/2668-1-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-0-0x00000000000C0000-0x0000000000158000-memory.dmp

Filesize
608KB

Download
memory/2668-23-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-2-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/2668-7-0x0000000005340000-0x00000000053A0000-memory.dmp

Filesize
384KB

Download
memory/2668-6-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2668-5-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads