snakekeylogger | 1a6df26ab226cce53ed57cf4d4a46afcacfed48d181ecf3cefc1547a86fa514e

General

Target

SU RECEIPTS.exe
Size

45KB
MD5

8c1ecfec742a15ecea1270341f6fc233
SHA1

cad6e89bb9a46723d5c065118d84f8fa2d733b5b
SHA256

1a6df26ab226cce53ed57cf4d4a46afcacfed48d181ecf3cefc1547a86fa514e
SHA512

1cea0261f65f4faf58b9f6c06942f39eb898b0fc2a31719de3aa6be7842170d1cd69efc0c66d9406e076b38923e4d065a2afa50e1943f60ea9af5ad5a1800f74
SSDEEP

768:uyJEWTx+/DsoQpYZluRhLLZKT+LQEPKfrs4nMWp/YI4XuMI/t6nOa6Tyo:dnpBX7LQnjsL9o1t6Oa/o

Score

10^/10

snakekeylogger collection keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6665362842:AAG0pFaR7HRKKztCR5GZinjteZ-4ePeXCWM/sendMessage?chat_id=1467583453

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4788-13-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

SU RECEIPTS.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SU RECEIPTS.exe
Key opened	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SU RECEIPTS.exe
Key opened	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SU RECEIPTS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SU RECEIPTS.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avukehngtk = "C:\\Users\\Admin\\AppData\\Roaming\\Avukehngtk.exe"	SU RECEIPTS.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

81 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

SU RECEIPTS.exe

description pid process target process

PID 2300 set thread context of 4788 2300 SU RECEIPTS.exe SU RECEIPTS.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SU RECEIPTS.exe

pid process

4788 SU RECEIPTS.exe
4788 SU RECEIPTS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SU RECEIPTS.exeSU RECEIPTS.exe

description pid process

Token: SeDebugPrivilege 2300 SU RECEIPTS.exe
Token: SeDebugPrivilege 4788 SU RECEIPTS.exe

flow	ioc
81	checkip.dyndns.org

description	pid	process	target process
PID 2300 set thread context of 4788	2300	SU RECEIPTS.exe	SU RECEIPTS.exe

pid	process
4788	SU RECEIPTS.exe
4788	SU RECEIPTS.exe

description	pid	process
Token: SeDebugPrivilege	2300	SU RECEIPTS.exe
Token: SeDebugPrivilege	4788	SU RECEIPTS.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SU RECEIPTS.exe

description	pid	process	target process
PID 2300 wrote to memory of 4788	2300	SU RECEIPTS.exe	SU RECEIPTS.exe
PID 2300 wrote to memory of 4788	2300	SU RECEIPTS.exe	SU RECEIPTS.exe
PID 2300 wrote to memory of 4788	2300	SU RECEIPTS.exe	SU RECEIPTS.exe
PID 2300 wrote to memory of 4788	2300	SU RECEIPTS.exe	SU RECEIPTS.exe
PID 2300 wrote to memory of 4788	2300	SU RECEIPTS.exe	SU RECEIPTS.exe
PID 2300 wrote to memory of 4788	2300	SU RECEIPTS.exe	SU RECEIPTS.exe
PID 2300 wrote to memory of 4788	2300	SU RECEIPTS.exe	SU RECEIPTS.exe
PID 2300 wrote to memory of 4788	2300	SU RECEIPTS.exe	SU RECEIPTS.exe

outlook_office_path 1 IoCs

Processes:

SU RECEIPTS.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SU RECEIPTS.exe

outlook_win_path 1 IoCs

Processes:

SU RECEIPTS.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SU RECEIPTS.exe

C:\Users\Admin\AppData\Local\Temp\SU RECEIPTS.exe
"C:\Users\Admin\AppData\Local\Temp\SU RECEIPTS.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\SU RECEIPTS.exe
"C:\Users\Admin\AppData\Local\Temp\SU RECEIPTS.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SU RECEIPTS.exe.log

Filesize
1KB

MD5
7ec52a18e14aaabdaa3ca494d0d2fcd6

SHA1
9da1ce116cfcc41e2943ce5866d844bb4b0c54f8

SHA256
d3254d6b93af211373171a502e4f732a62fb26398a7c7f0cf89959630ccf5b22

SHA512
efbee1ec6a5f5d2008f46a721ab45f8a8659e400def9fe3239a2131efdac5136472ea189f63cd6de5a21866b9e8eea1b5c574be62243376420ef84c9b32761c9

Download Submit
memory/2300-10-0x0000000006E60000-0x0000000006E96000-memory.dmp

Filesize
216KB

Download
memory/2300-17-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/2300-9-0x0000000006060000-0x0000000006098000-memory.dmp

Filesize
224KB

Download
memory/2300-4-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2300-5-0x0000000005F30000-0x0000000005FC2000-memory.dmp

Filesize
584KB

Download
memory/2300-6-0x0000000005F10000-0x0000000005F1A000-memory.dmp

Filesize
40KB

Download
memory/2300-7-0x0000000006CA0000-0x0000000006CF0000-memory.dmp

Filesize
320KB

Download
memory/2300-8-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/2300-3-0x00000000056E0000-0x0000000005C84000-memory.dmp

Filesize
5.6MB

Download
memory/2300-2-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/2300-0-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/2300-11-0x0000000006EB0000-0x0000000006EFC000-memory.dmp

Filesize
304KB

Download
memory/2300-1-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/4788-21-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/4788-16-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/4788-18-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/4788-19-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/4788-20-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/4788-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads