snakekeylogger | fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948

Analysis

max time kernel
36s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
Size

686KB
MD5

5a663a122c4d05a04fbe40571d2271aa
SHA1

f0e47c9a3b2bda06c706cb680f6f2efadb201520
SHA256

fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948
SHA512

a421723519a558abad954c13be517a3ec3ff945c197c7715c6b1746a7dd54a436a2846a2334651f4bfe19ad02c5a8a04809daa4d61e3c61d6490c5e3c7d67c06
SSDEEP

12288:S0gM1iEpS4TRIBS0eVR8IwE1WqoPTvSFxU5LlbI:SiRp3T+GXDXoPTvIALlbI

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.gkas.com.tr
Port:
587
Username:
[email protected]
Password:
Gkasteknik@2022

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4440-12-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral2/memory/4440-21-0x0000000005880000-0x0000000005890000-memory.dmp	family_snakekeylogger

Suspicious use of SetThreadContext 1 IoCs

Processes:

description pid process target process

PID 4508 set thread context of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe

description	pid	process	target process
PID 4508 set thread context of 4440	4508		NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe

pid	process
4508
4508
4508
4508
4508
4508
4440	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
4440	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe

description pid process

Token: SeDebugPrivilege 4508
Token: SeDebugPrivilege 4440 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe

description	pid	process
Token: SeDebugPrivilege	4508
Token: SeDebugPrivilege	4440	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

description	pid	target process
PID 4508 wrote to memory of 4440	4508	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
PID 4508 wrote to memory of 4440	4508	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
PID 4508 wrote to memory of 4440	4508	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
PID 4508 wrote to memory of 4440	4508	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
PID 4508 wrote to memory of 4440	4508	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
PID 4508 wrote to memory of 4440	4508	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
PID 4508 wrote to memory of 4440	4508	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
PID 4508 wrote to memory of 4440	4508	NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe"
1⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
c51a434658c309f92169b69419ad619a

SHA1
8cf1467a6f6185116d1d8df65f20f02ecb224c1d

SHA256
ce2b026b74e0a33dbef8da05cfcde75de5022d89a8c86855a901073314941cc9

SHA512
8b2a11bc86141405194338d85b9e746c46ef2305b1ae35b60019df45c5ef6abe1b62de153257bac6e3e21a09bbd2d726ed97f63c5f33acc1b580b805d125c861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/2132-68-0x000002C5FE580000-0x000002C5FE581000-memory.dmp

Filesize
4KB

Download
memory/2132-66-0x000002C5FE570000-0x000002C5FE571000-memory.dmp

Filesize
4KB

Download
memory/2132-57-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-22-0x000002C5FA240000-0x000002C5FA250000-memory.dmp

Filesize
64KB

Download
memory/2132-55-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-65-0x000002C5FE580000-0x000002C5FE581000-memory.dmp

Filesize
4KB

Download
memory/2132-71-0x000002C5FE570000-0x000002C5FE571000-memory.dmp

Filesize
4KB

Download
memory/2132-56-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-74-0x000002C5FE4B0000-0x000002C5FE4B1000-memory.dmp

Filesize
4KB

Download
memory/2132-86-0x000002C5FE6B0000-0x000002C5FE6B1000-memory.dmp

Filesize
4KB

Download
memory/2132-59-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-89-0x000002C5FE6C0000-0x000002C5FE6C1000-memory.dmp

Filesize
4KB

Download
memory/2132-54-0x000002C5FE930000-0x000002C5FE931000-memory.dmp

Filesize
4KB

Download
memory/2132-90-0x000002C5FE7D0000-0x000002C5FE7D1000-memory.dmp

Filesize
4KB

Download
memory/2132-60-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-61-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-63-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-64-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-62-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-38-0x000002C5FA340000-0x000002C5FA350000-memory.dmp

Filesize
64KB

Download
memory/2132-58-0x000002C5FE950000-0x000002C5FE951000-memory.dmp

Filesize
4KB

Download
memory/2132-88-0x000002C5FE6C0000-0x000002C5FE6C1000-memory.dmp

Filesize
4KB

Download
memory/4440-17-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/4440-21-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/4440-20-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4440-18-0x0000000006AC0000-0x0000000006B10000-memory.dmp

Filesize
320KB

Download
memory/4440-19-0x0000000006CE0000-0x0000000006EA2000-memory.dmp

Filesize
1.8MB

Download
memory/4440-15-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4440-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4508-9-0x0000000006440000-0x00000000064A0000-memory.dmp

Filesize
384KB

Download
memory/4508-5-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/4508-0-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4508-3-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/4508-16-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4508-2-0x0000000005490000-0x0000000005A34000-memory.dmp

Filesize
5.6MB

Download
memory/4508-11-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4508-1-0x0000000000470000-0x0000000000522000-memory.dmp

Filesize
712KB

Download
memory/4508-10-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/4508-8-0x00000000052A0000-0x00000000052AA000-memory.dmp

Filesize
40KB

Download
memory/4508-7-0x0000000005140000-0x000000000514E000-memory.dmp

Filesize
56KB

Download
memory/4508-4-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/4508-6-0x0000000005200000-0x000000000529C000-memory.dmp

Filesize
624KB

Download