snakekeylogger | bebc0029d94116ae2f1d7ae6ce0f91376a188a90e0da62cc53030c831cfc0d45

Analysis

max time kernel
139s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2023 09:45

Target

URGENT RFQ! RFP82810.exe
Size

329KB
MD5

42df97789a51cb7ba473e6f447e83989
SHA1

400e3f2bc880dd690e4dcbfd8024995e83347d9d
SHA256

73dc704c3a82e161c621cdbd9164c9ee86ccb8b7fa0dcfc8f03ce40335c8604e
SHA512

0b3b26bb8d131fc506d9e3be57b1ef7d9c51f46a7dc9529bc4657a90767e09997e5675c91a2e83772ab4602b2c923d840ff5c708a831c24cf38b570eec6c023d
SSDEEP

6144:/CKQBMNitGsC/UJiQ2+423iCn3XgIqFsPe35bgaGPEQD:/fQ67sCYiX23PXbqL35bgaGf

Score

10^/10

Family

snakekeylogger

Credentials

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3600-9-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

URGENT RFQ! RFP82810.exe

description pid process target process

PID 344 set thread context of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3724 3600 WerFault.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

3600 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3600 RegAsm.exe

flow	ioc
40	checkip.dyndns.org

description	pid	process	target process
PID 344 set thread context of 3600	344	URGENT RFQ! RFP82810.exe	RegAsm.exe

pid	pid_target	process	target process
3724	3600	WerFault.exe	RegAsm.exe

pid	process
3600	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3600	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

URGENT RFQ! RFP82810.exe

description	pid	process	target process
PID 344 wrote to memory of 3600	344	URGENT RFQ! RFP82810.exe	RegAsm.exe
PID 344 wrote to memory of 3600	344	URGENT RFQ! RFP82810.exe	RegAsm.exe
PID 344 wrote to memory of 3600	344	URGENT RFQ! RFP82810.exe	RegAsm.exe
PID 344 wrote to memory of 3600	344	URGENT RFQ! RFP82810.exe	RegAsm.exe
PID 344 wrote to memory of 3600	344	URGENT RFQ! RFP82810.exe	RegAsm.exe
PID 344 wrote to memory of 3600	344	URGENT RFQ! RFP82810.exe	RegAsm.exe
PID 344 wrote to memory of 3600	344	URGENT RFQ! RFP82810.exe	RegAsm.exe
PID 344 wrote to memory of 3600	344	URGENT RFQ! RFP82810.exe	RegAsm.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 1532
3⤵
- Program crash
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3600 -ip 3600
1⤵
PID:724

memory/344-6-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/344-8-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/344-2-0x00000000052D0000-0x0000000005874000-memory.dmp

Filesize
5.6MB

Download
memory/344-3-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/344-4-0x0000000004D70000-0x0000000004DC4000-memory.dmp

Filesize
336KB

Download
memory/344-5-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/344-1-0x00000000003D0000-0x0000000000428000-memory.dmp

Filesize
352KB

Download
memory/344-7-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/344-0-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/344-11-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3600-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3600-12-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3600-13-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/3600-14-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3600-15-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download