snakekeylogger | 1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6

Analysis

max time kernel
25s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
Size

616KB
MD5

77521173381682b5a1deb286bce27bf4
SHA1

2ad56680cb0c821b18c269c63f4eeeb770140800
SHA256

1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6
SHA512

5366df45795f970f1b17113caf65c1e677b44da372cc85159fc4de4d8d32a08798aa4120cac956014c75fb71fce53ddfe8e76075b66c5f24e50a8f4a12254e53
SSDEEP

12288:h36N/bxyuAFnSz0cYMSE7a45naENKqIfPbY9QPNTURftb2pLuxQ:h3gqSznYMP5MbskYVapuQ

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.belt-tech.com.my
Port:
587
Username:
[email protected]
Password:
Beltechpg@1234
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3280-46-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

956 schtasks.exe

flow	ioc
30	checkip.dyndns.org

pid	process
956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe

pid	process
2712	NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
2712	NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
2712	NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe

description pid process

Token: SeDebugPrivilege 2712 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe

description	pid	process
Token: SeDebugPrivilege	2712	NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"
2⤵
PID:1476

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BwmGnyPcYGIy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44A5.tmp"
2⤵
- Creates scheduled task(s)
PID:956

C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"
2⤵
PID:3280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BwmGnyPcYGIy.exe"
2⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0c38019f9222bb9951d710ff3518d9e4

SHA1
fd3959df0e93f0cf2ed955a0a08e4751f95f9a07

SHA256
342599d3be1e98fd5afece0ee7183999e22c4b010043cc14ecd3e65eab880445

SHA512
1f6cd656bdec77dab1344cd6839037f824442f9182f1ff7df1830d05ba97f73a324c2e31fc8ee2c1d7daa37ca6fbc888d83a373c0f6a31fbfa095243e34f33dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1zyaknw.pnk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp44A5.tmp

Filesize
1KB

MD5
74ae9823f7d3ea15997899db2b8d213e

SHA1
33ec554dd10efea22d7df6c3ad82ac1d1f245d81

SHA256
489c7a7125fd6679dc5a7b375e0afba0f1bf96ef85477881766b75b78b584169

SHA512
3c8b6fd53047a7d75515360302c914693731e95b842cfd63ebc808653177af2bd3ce2df09c5b1ccdd641ed8b5f426e9ed8a6c0ab7b53aae90eb03e2f8dcb7d65

Download Submit
memory/1476-81-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/1476-24-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/1476-77-0x0000000007470000-0x0000000007513000-memory.dmp

Filesize
652KB

Download
memory/1476-53-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/1476-21-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download
memory/1476-66-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/1476-54-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

Filesize
64KB

Download
memory/1476-16-0x0000000002930000-0x0000000002966000-memory.dmp

Filesize
216KB

Download
memory/1476-79-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/1476-56-0x0000000070A50000-0x0000000070A9C000-memory.dmp

Filesize
304KB

Download
memory/1476-17-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1476-92-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1476-26-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/1476-83-0x00000000077B0000-0x00000000077BE000-memory.dmp

Filesize
56KB

Download
memory/1476-86-0x00000000078A0000-0x00000000078A8000-memory.dmp

Filesize
32KB

Download
memory/2712-15-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2712-1-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2712-49-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2712-5-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/2712-3-0x0000000004DB0000-0x0000000004E42000-memory.dmp

Filesize
584KB

Download
memory/2712-4-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/2712-2-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/2712-0-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2712-10-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2712-9-0x00000000080F0000-0x000000000818C000-memory.dmp

Filesize
624KB

Download
memory/2712-8-0x0000000005B60000-0x0000000005BC0000-memory.dmp

Filesize
384KB

Download
memory/2712-7-0x0000000005020000-0x000000000502A000-memory.dmp

Filesize
40KB

Download
memory/2712-6-0x0000000004F60000-0x0000000004F76000-memory.dmp

Filesize
88KB

Download
memory/2988-50-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/2988-19-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2988-52-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/2988-22-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/2988-55-0x0000000006E40000-0x0000000006E72000-memory.dmp

Filesize
200KB

Download
memory/2988-51-0x0000000006BC0000-0x0000000006C0C000-memory.dmp

Filesize
304KB

Download
memory/2988-23-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/2988-78-0x00000000081E0000-0x000000000885A000-memory.dmp

Filesize
6.5MB

Download
memory/2988-80-0x0000000007C00000-0x0000000007C0A000-memory.dmp

Filesize
40KB

Download
memory/2988-25-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/2988-82-0x0000000007D90000-0x0000000007DA1000-memory.dmp

Filesize
68KB

Download
memory/2988-18-0x00000000059B0000-0x0000000005FD8000-memory.dmp

Filesize
6.2MB

Download
memory/2988-84-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

Filesize
80KB

Download
memory/2988-85-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

Filesize
104KB

Download
memory/2988-45-0x0000000006280000-0x00000000065D4000-memory.dmp

Filesize
3.3MB

Download
memory/2988-93-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/2988-67-0x0000000070A50000-0x0000000070A9C000-memory.dmp

Filesize
304KB

Download
memory/3280-46-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3280-48-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-94-0x00000000066C0000-0x0000000006710000-memory.dmp

Filesize
320KB

Download
memory/3280-95-0x00000000068E0000-0x0000000006AA2000-memory.dmp

Filesize
1.8MB

Download
memory/3280-96-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download