snakekeylogger | 2e070bf82e1dc22ca1b3612faaaed7688cf8041b14cb1be60b953e25d7ef1919

General

Target

Revised Invoice.pdf.exe
Size

949KB
MD5

4cbadf2f02b55b681ad8179318125627
SHA1

b7fcd5e0ec5b5ca2138c5243e0a2b96cbb3ce343
SHA256

2e070bf82e1dc22ca1b3612faaaed7688cf8041b14cb1be60b953e25d7ef1919
SHA512

358a258502f15ce71c1a8931a1b31da3b40ac899bde0314cfcf0104c79919e489b4eee07aad4ef6def334b7c889c3430cae68d5d4804ea6e248c6c726d02cad1
SSDEEP

12288:9yQaMFM0Mvxv9QtXV74LFpMQJfmJFGH/dqsBCSsoik88FXNnp:9yjv9e9SF7lmsFqHoikJXN

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.worlorderbillions.top
Port:
587
Username:
[email protected]
Password:
7f*ybyLDVD[J

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3928-13-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Revised Invoice.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Revised Invoice.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Revised Invoice.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Revised Invoice.pdf.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Revised Invoice.pdf.exe

description pid process target process

PID 1060 set thread context of 3928 1060 Revised Invoice.pdf.exe Revised Invoice.pdf.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Revised Invoice.pdf.exeRevised Invoice.pdf.exe

pid process

1060 Revised Invoice.pdf.exe
1060 Revised Invoice.pdf.exe
3928 Revised Invoice.pdf.exe
3928 Revised Invoice.pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Revised Invoice.pdf.exeRevised Invoice.pdf.exe

description pid process

Token: SeDebugPrivilege 1060 Revised Invoice.pdf.exe
Token: SeDebugPrivilege 3928 Revised Invoice.pdf.exe

flow	ioc
43	checkip.dyndns.org

description	pid	process	target process
PID 1060 set thread context of 3928	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe

pid	process
1060	Revised Invoice.pdf.exe
1060	Revised Invoice.pdf.exe
3928	Revised Invoice.pdf.exe
3928	Revised Invoice.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1060	Revised Invoice.pdf.exe
Token: SeDebugPrivilege	3928	Revised Invoice.pdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Revised Invoice.pdf.exe

description	pid	process	target process
PID 1060 wrote to memory of 3304	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3304	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3304	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3928	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3928	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3928	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3928	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3928	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3928	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3928	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe
PID 1060 wrote to memory of 3928	1060	Revised Invoice.pdf.exe	Revised Invoice.pdf.exe

outlook_office_path 1 IoCs

Processes:

Revised Invoice.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Revised Invoice.pdf.exe

outlook_win_path 1 IoCs

Processes:

Revised Invoice.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Revised Invoice.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Revised Invoice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\Revised Invoice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.pdf.exe"
2⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\Revised Invoice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.pdf.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Revised Invoice.pdf.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1060-10-0x0000000005C70000-0x0000000005C80000-memory.dmp

Filesize
64KB

Download
memory/1060-5-0x00000000056A0000-0x00000000056AA000-memory.dmp

Filesize
40KB

Download
memory/1060-11-0x00000000071C0000-0x0000000007222000-memory.dmp

Filesize
392KB

Download
memory/1060-16-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/1060-12-0x0000000009810000-0x00000000098AC000-memory.dmp

Filesize
624KB

Download
memory/1060-6-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Filesize
120KB

Download
memory/1060-7-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/1060-8-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/1060-9-0x0000000005C60000-0x0000000005C6C000-memory.dmp

Filesize
48KB

Download
memory/1060-0-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/1060-3-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/1060-2-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/1060-4-0x0000000005610000-0x0000000005620000-memory.dmp

Filesize
64KB

Download
memory/1060-1-0x0000000000BD0000-0x0000000000CC4000-memory.dmp

Filesize
976KB

Download
memory/3928-17-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3928-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3928-18-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/3928-19-0x0000000006160000-0x00000000061B0000-memory.dmp

Filesize
320KB

Download
memory/3928-20-0x0000000006380000-0x0000000006542000-memory.dmp

Filesize
1.8MB

Download
memory/3928-21-0x00000000753B0000-0x0000000075B60000-memory.dmp

Filesize
7.7MB

Download
memory/3928-22-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads