snakekeylogger | f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12

Analysis

max time kernel
194s
max time network
244s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
Size

542KB
MD5

fb6436801517f4cb1748ba4bf9df2df4
SHA1

2c36e323268892dc7f9987fb5200ee1fb2336df0
SHA256

f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12
SHA512

77140f0e92be4f7b931f33949ef4640b8d02bebcc43e0aec97618eb731efb07acb0648efcc10af630f2440bc2c8fa45b3862b8d77ce5c3f9d908ac9b22bf6977
SSDEEP

12288:5tHparD6dh85k4Y5hLZwi3qjnb7svMufuul8ZxeizmFzx:h4Dqh5LPwi3YnsUufuLnRmH

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot6316392918:AAHcjKTVDupG6SMH3LkXAeVBgHKlqsAcmRU/sendMessage?chat_id=6445748530

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2256-39-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2256-40-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2256-43-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2256-45-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2256-48-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2256-50-0x0000000004770000-0x00000000047B0000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe

description	pid	process	target process
PID 2744 set thread context of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2644 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exef8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe

pid process

2568 powershell.exe
2540 powershell.exe
2256 f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe

pid	process
2644	schtasks.exe

pid	process
2568	powershell.exe
2540	powershell.exe
2256	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exef8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe

description	pid	process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2256	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe

description	pid	process	target process
PID 2744 wrote to memory of 2568	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	powershell.exe
PID 2744 wrote to memory of 2568	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	powershell.exe
PID 2744 wrote to memory of 2568	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	powershell.exe
PID 2744 wrote to memory of 2568	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	powershell.exe
PID 2744 wrote to memory of 2540	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	powershell.exe
PID 2744 wrote to memory of 2540	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	powershell.exe
PID 2744 wrote to memory of 2540	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	powershell.exe
PID 2744 wrote to memory of 2540	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	powershell.exe
PID 2744 wrote to memory of 2644	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	schtasks.exe
PID 2744 wrote to memory of 2644	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	schtasks.exe
PID 2744 wrote to memory of 2644	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	schtasks.exe
PID 2744 wrote to memory of 2644	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	schtasks.exe
PID 2744 wrote to memory of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
PID 2744 wrote to memory of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
PID 2744 wrote to memory of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
PID 2744 wrote to memory of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
PID 2744 wrote to memory of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
PID 2744 wrote to memory of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
PID 2744 wrote to memory of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
PID 2744 wrote to memory of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
PID 2744 wrote to memory of 2256	2744	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe	f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe

C:\Users\Admin\AppData\Local\Temp\f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
"C:\Users\Admin\AppData\Local\Temp\f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dSirXQFPjw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dSirXQFPjw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD2E9.tmp"
2⤵
- Creates scheduled task(s)
PID:2644

C:\Users\Admin\AppData\Local\Temp\f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe
"C:\Users\Admin\AppData\Local\Temp\f8e42f0b33b357352164af46809b4ba2fd3f213059b4f7d1a38c9df1e84e6b12.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD2E9.tmp

Filesize
1KB

MD5
9b9bbcff32a024eb51da9adc692c6234

SHA1
0f243d0d2c3896abbde92837524dcc45389dbd57

SHA256
0d196f34afbc183cf65123d898670f3e43b697035006b32c5e24ec40b625cd20

SHA512
af706eac3656ab0bf45be07481baf48c79e1a6e41437b4d94a745bead45ca2bf7d53d27ffa280144712c17032956fcd11b0ad4377291439181b3487ae5da7f1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q3DXCLPML1D2NYROBX6L.temp

Filesize
7KB

MD5
29e766ed7f444083889132df8d95cb0c

SHA1
147811afd53aea3b143d72c9e619429c1602f375

SHA256
91b0530234f232646528febde630e15a830303f909e22243f2d3691a49c8fbc5

SHA512
72e5b3263e08af9c21debc6bd4275817d27dea854900920c0911e66a834c26073f072882dcda766bd2045f308aeeca74c92d8bc447d81dbd724e696813dd2908

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
29e766ed7f444083889132df8d95cb0c

SHA1
147811afd53aea3b143d72c9e619429c1602f375

SHA256
91b0530234f232646528febde630e15a830303f909e22243f2d3691a49c8fbc5

SHA512
72e5b3263e08af9c21debc6bd4275817d27dea854900920c0911e66a834c26073f072882dcda766bd2045f308aeeca74c92d8bc447d81dbd724e696813dd2908

Download Submit
memory/2256-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-43-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2256-54-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/2256-50-0x0000000004770000-0x00000000047B0000-memory.dmp

Filesize
256KB

Download
memory/2256-49-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-48-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2256-45-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2256-40-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2256-38-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2256-37-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2256-39-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2256-53-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-36-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2540-21-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-26-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-27-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-52-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/2540-30-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2540-33-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2540-24-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2568-22-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-35-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/2568-34-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/2568-23-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/2568-25-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-29-0x00000000021A0000-0x00000000021E0000-memory.dmp

Filesize
256KB

Download
memory/2568-51-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-28-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-5-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2744-3-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2744-47-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-8-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/2744-4-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/2744-6-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/2744-0-0x00000000002E0000-0x000000000036E000-memory.dmp

Filesize
568KB

Download
memory/2744-2-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-7-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2744-1-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download