snakekeylogger | 4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3

General

Target

NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe
Size

126KB
MD5

b1c08999736441acdbaacc4ff1845d82
SHA1

b28e3408648a55f92a203554b74cf0fd1a078427
SHA256

4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3
SHA512

af8a8756a595698902c2300a2b06ffa37189099d589507eec356f56f2f347239de9f4a212cd0ac536a8ba47233cc074a5bfc8408303cadca1857935e9e9fa66d
SSDEEP

3072:qjdK8uu56pQKU7X7ca392b73FwBNZDgbY:uj3IbSZUb

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
laxrnicottons.com
Port:
587
Username:
[email protected]
Password:
2021isHere!!

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
laxrnicottons.com
Port:
587
Username:
[email protected]
Password:
2021isHere!!

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1576-0-0x0000000000E10000-0x0000000000E36000-memory.dmp	family_snakekeylogger
behavioral1/memory/1576-2-0x0000000004B50000-0x0000000004B90000-memory.dmp	family_snakekeylogger
behavioral1/memory/1576-4-0x0000000004B50000-0x0000000004B90000-memory.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org

flow	ioc
2	checkip.dyndns.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

pid	process
1576	NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe
1576	NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

description pid process

Token: SeDebugPrivilege 1576 NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

description	pid	process
Token: SeDebugPrivilege	1576	NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

outlook_office_path 1 IoCs

Processes:

NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

outlook_win_path 1 IoCs

Processes:

NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4b3bab16ab902ffc20293209b8fe86c6e93502648b6788601b41a1934d2822c3.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1576-0-0x0000000000E10000-0x0000000000E36000-memory.dmp

Filesize
152KB

Download
memory/1576-1-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/1576-2-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/1576-3-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/1576-4-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/1576-5-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads