snakekeylogger | 9797593a4d2f9d01dbb48e57bf0aa5bb970b6ad988f5f8df872ea6f29ece00df

General

Target

b28fed6e73d8203eeebe48b75835f1a6.exe
Size

522KB
MD5

b28fed6e73d8203eeebe48b75835f1a6
SHA1

45b15d54281ebd0a946fa905dd85c563a221ec90
SHA256

9797593a4d2f9d01dbb48e57bf0aa5bb970b6ad988f5f8df872ea6f29ece00df
SHA512

7e970c4e45d430b17f904c0721fb1cc64b9961b0776adc211ddc0e5ca9ae48594ffbd9004a7d5db23e39940e627c8d34cfb85332c2b4e206df901fe0a97f5cef
SSDEEP

12288:11DKzKH/PPM+WC/cj4KmuMT5FqQTkRmGCnmLS0beG3:vDKQ1q9mLu6mT7

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.gkas.com.tr
Port:
587
Username:
[email protected]
Password:
Gkasteknik@2022

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2576-23-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2576-27-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2576-25-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2576-19-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2576-17-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2876 schtasks.exe

flow	ioc
2	checkip.dyndns.org

pid	process
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

b28fed6e73d8203eeebe48b75835f1a6.exe

pid	process
2288	b28fed6e73d8203eeebe48b75835f1a6.exe
2288	b28fed6e73d8203eeebe48b75835f1a6.exe
2288	b28fed6e73d8203eeebe48b75835f1a6.exe
2288	b28fed6e73d8203eeebe48b75835f1a6.exe
2288	b28fed6e73d8203eeebe48b75835f1a6.exe
2288	b28fed6e73d8203eeebe48b75835f1a6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b28fed6e73d8203eeebe48b75835f1a6.exe

description pid process

Token: SeDebugPrivilege 2288 b28fed6e73d8203eeebe48b75835f1a6.exe

description	pid	process
Token: SeDebugPrivilege	2288	b28fed6e73d8203eeebe48b75835f1a6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b28fed6e73d8203eeebe48b75835f1a6.exe

description	pid	process	target process
PID 2288 wrote to memory of 2600	2288	b28fed6e73d8203eeebe48b75835f1a6.exe	powershell.exe
PID 2288 wrote to memory of 2600	2288	b28fed6e73d8203eeebe48b75835f1a6.exe	powershell.exe
PID 2288 wrote to memory of 2600	2288	b28fed6e73d8203eeebe48b75835f1a6.exe	powershell.exe
PID 2288 wrote to memory of 2600	2288	b28fed6e73d8203eeebe48b75835f1a6.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\b28fed6e73d8203eeebe48b75835f1a6.exe
"C:\Users\Admin\AppData\Local\Temp\b28fed6e73d8203eeebe48b75835f1a6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zCFxvYBsgbJO.exe"
2⤵
PID:2600

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zCFxvYBsgbJO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA351.tmp"
2⤵
- Creates scheduled task(s)
PID:2876

C:\Users\Admin\AppData\Local\Temp\b28fed6e73d8203eeebe48b75835f1a6.exe
"C:\Users\Admin\AppData\Local\Temp\b28fed6e73d8203eeebe48b75835f1a6.exe"
2⤵
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA351.tmp

Filesize
1KB

MD5
8d807fbee5cfd8feb08463239b18d23e

SHA1
cbd5eea3c45e0eda5fd09e1413e01e270735c977

SHA256
48e2433a7d4bc747e6bcb7c45c4a0cf7f9d5877920c95882a3d8e6b1421e8d7d

SHA512
124e69ebe5b49b9e23657c641a905167292fc6327ae15c588de88511079ecc6e91b019f75bf2f3a0550762fce7472bbbc85ada6ebf649593fe1dab06372fd41c

Download Submit
memory/2288-28-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-1-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-2-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/2288-3-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2288-4-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-5-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/2288-7-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/2288-6-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2288-8-0x00000000021C0000-0x0000000002220000-memory.dmp

Filesize
384KB

Download
memory/2288-0-0x00000000008D0000-0x0000000000958000-memory.dmp

Filesize
544KB

Download
memory/2576-27-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2576-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2576-30-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2576-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2576-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2576-29-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-40-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2576-39-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2576-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2576-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2600-33-0x000000006FC10000-0x00000000701BB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-35-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2600-37-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2600-38-0x000000006FC10000-0x00000000701BB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-36-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2600-34-0x000000006FC10000-0x00000000701BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads