snakekeylogger | 49c59a32e93fef5738e0391500ed7bee421897016304d6db4cb58d9dd1c6d996

General

Target

REQUEST FOR QUOTATION E230830F2.exe
Size

560KB
MD5

5bef2b26267e7cfbc2d8c02404627ccd
SHA1

8ee2fe6bb21ff176100bc9403e060a4aa2021403
SHA256

de3b0df29cca773ff488c9e27f051b767fa7bd93ae9fedd5db91037de48615ca
SHA512

386bf359c6c6acc6ea0071c24efd7f1beea3930c1c2045c0c6c71fd1f8f2ca1caeb1506c1c0aca24abe022c7ad061a3d1a5531aa74b52f9578f931ffa0aad6fe
SSDEEP

12288:kY2AfDuHOXDAMfAkcOJJy5CoKHLw+wEcryuleCWp8N7:kY2gxf2OXy5CoCLJwyule

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.xantara.com.my
Port:
587
Username:
[email protected]
Password:
Limetree342983!
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3432-12-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

REQUEST FOR QUOTATION E230830F2.exe

description pid process target process

PID 3092 set thread context of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

REQUEST FOR QUOTATION E230830F2.exeRegSvcs.exe

pid process

3092 REQUEST FOR QUOTATION E230830F2.exe
3092 REQUEST FOR QUOTATION E230830F2.exe
3432 RegSvcs.exe
3432 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

REQUEST FOR QUOTATION E230830F2.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 3092 REQUEST FOR QUOTATION E230830F2.exe
Token: SeDebugPrivilege 3432 RegSvcs.exe

flow	ioc
41	checkip.dyndns.org

description	pid	process	target process
PID 3092 set thread context of 3432	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe

pid	process
3092	REQUEST FOR QUOTATION E230830F2.exe
3092	REQUEST FOR QUOTATION E230830F2.exe
3432	RegSvcs.exe
3432	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3092	REQUEST FOR QUOTATION E230830F2.exe
Token: SeDebugPrivilege	3432	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

REQUEST FOR QUOTATION E230830F2.exe

description	pid	process	target process
PID 3092 wrote to memory of 3528	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3528	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3528	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3432	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3432	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3432	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3432	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3432	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3432	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3432	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe
PID 3092 wrote to memory of 3432	3092	REQUEST FOR QUOTATION E230830F2.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION E230830F2.exe
"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION E230830F2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3092-10-0x0000000006A80000-0x0000000006A8A000-memory.dmp

Filesize
40KB

Download
memory/3092-15-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/3092-2-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/3092-3-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/3092-4-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3092-5-0x0000000005630000-0x000000000563A000-memory.dmp

Filesize
40KB

Download
memory/3092-6-0x0000000005820000-0x00000000058BC000-memory.dmp

Filesize
624KB

Download
memory/3092-0-0x0000000000B10000-0x0000000000BA0000-memory.dmp

Filesize
576KB

Download
memory/3092-8-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/3092-1-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/3092-7-0x0000000005A30000-0x0000000005A48000-memory.dmp

Filesize
96KB

Download
memory/3092-11-0x000000000A6B0000-0x000000000A710000-memory.dmp

Filesize
384KB

Download
memory/3092-9-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/3432-18-0x0000000006910000-0x0000000006AD2000-memory.dmp

Filesize
1.8MB

Download
memory/3432-14-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/3432-16-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/3432-17-0x00000000066F0000-0x0000000006740000-memory.dmp

Filesize
320KB

Download
memory/3432-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3432-19-0x0000000074670000-0x0000000074E20000-memory.dmp

Filesize
7.7MB

Download
memory/3432-20-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads