snakekeylogger | 9a2f9a2670f1a81d9e637218669c6db6a29ea962ce2cb2a81468c45aa5b40b40

General

Target

Halkbank_Ekstre_20231019_574589_324568.pdf.exe
Size

949KB
MD5

9869b521f18fc52aa2ee00593f41065c
SHA1

aaad09ec83aa11081f2f81df2eecf0303a049a93
SHA256

9a2f9a2670f1a81d9e637218669c6db6a29ea962ce2cb2a81468c45aa5b40b40
SHA512

0140fa3cbbc1ad4e12d88fa9dc58dc4cb4b9d7d7b29be63372a937ddd2d36fc7f5342742c0ea6bede85d04fef1b56fc14b7da1b94878aa8b224698a75e65216a
SSDEEP

12288:IyQaMFM0Mvxv9ZtOZvkrM7aMhOt3a7kbVRpzRcv9sXfNKtHkvJlq:Iyjv9EZOSTOdVRptclmfNKhkvG

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6564714997:AAEB5Qyq9hSihv7iw6Fa5RV1VfNvFH6t4oU/sendMessage?chat_id=5328986207

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2208-11-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2208-12-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2208-15-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2208-17-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2208-19-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2208-22-0x0000000004BC0000-0x0000000004C00000-memory.dmp	family_snakekeylogger
behavioral1/memory/2208-24-0x0000000004BC0000-0x0000000004C00000-memory.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Halkbank_Ekstre_20231019_574589_324568.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20231019_574589_324568.pdf.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

Halkbank_Ekstre_20231019_574589_324568.pdf.exe

description	pid	process	target process
PID 2392 set thread context of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Halkbank_Ekstre_20231019_574589_324568.pdf.exe

pid process

2208 Halkbank_Ekstre_20231019_574589_324568.pdf.exe
2208 Halkbank_Ekstre_20231019_574589_324568.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Halkbank_Ekstre_20231019_574589_324568.pdf.exe

description pid process

Token: SeDebugPrivilege 2208 Halkbank_Ekstre_20231019_574589_324568.pdf.exe

pid	process
2208	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
2208	Halkbank_Ekstre_20231019_574589_324568.pdf.exe

description	pid	process
Token: SeDebugPrivilege	2208	Halkbank_Ekstre_20231019_574589_324568.pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Halkbank_Ekstre_20231019_574589_324568.pdf.exe

description	pid	process	target process
PID 2392 wrote to memory of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
PID 2392 wrote to memory of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
PID 2392 wrote to memory of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
PID 2392 wrote to memory of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
PID 2392 wrote to memory of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
PID 2392 wrote to memory of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
PID 2392 wrote to memory of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
PID 2392 wrote to memory of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe
PID 2392 wrote to memory of 2208	2392	Halkbank_Ekstre_20231019_574589_324568.pdf.exe	Halkbank_Ekstre_20231019_574589_324568.pdf.exe

outlook_office_path 1 IoCs

Processes:

Halkbank_Ekstre_20231019_574589_324568.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20231019_574589_324568.pdf.exe

outlook_win_path 1 IoCs

Processes:

Halkbank_Ekstre_20231019_574589_324568.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Halkbank_Ekstre_20231019_574589_324568.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20231019_574589_324568.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20231019_574589_324568.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20231019_574589_324568.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20231019_574589_324568.pdf.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2208-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2208-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-23-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-22-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/2208-21-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-24-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/2208-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2392-6-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/2392-8-0x0000000004DC0000-0x0000000004E22000-memory.dmp

Filesize
392KB

Download
memory/2392-1-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-3-0x0000000000470000-0x000000000048E000-memory.dmp

Filesize
120KB

Download
memory/2392-7-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2392-20-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-2-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/2392-5-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/2392-4-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-0-0x0000000000C40000-0x0000000000D34000-memory.dmp

Filesize
976KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads