snakekeylogger | 1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2

Analysis

max time kernel
27s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe
Size

628KB
MD5

7eec1e611d996a5f2792c9778da882bc
SHA1

90b7ad77edd7e61499d8e0160490bce4c9366934
SHA256

1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2
SHA512

3bcb54831392b6b6c0c976f4c9940590e0095d14859d02a639a0908ef131039d323f5601a142196c47e6d43f473f3fd8999b47c79f247380660e1eb413b91bea
SSDEEP

12288:QWOTNXc3hEunBAFnSuBVZ60SwMPAF98gb8X+SHucpVHGH:332uBqSu9FHMPAF76+SLVHG

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.alupanorama.com.my
Port:
587
Username:
[email protected]
Password:
t9&KsFB5dPgV
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4952-26-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3228 schtasks.exe

flow	ioc
37	checkip.dyndns.org

pid	process
3228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe

pid	process
1372	NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe
1372	NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe
1372	NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe

description pid process

Token: SeDebugPrivilege 1372 NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe

description	pid	process
Token: SeDebugPrivilege	1372	NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe"
2⤵
PID:1784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PjzCeIhiuryZzE.exe"
2⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1d7069432d20883d8bf613e91d3a78de608bb7e7fa2b6daf1252e5da9a717ba2.exe"
2⤵
PID:4952

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PjzCeIhiuryZzE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF770.tmp"
2⤵
- Creates scheduled task(s)
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dfa0b1b10666df1a584746fd8a2f4ceb

SHA1
8fd40c2f6403df2e6e3dbddc4affecaf0e657cd6

SHA256
89e5fdb0fa65b20bd9eb116e92f30de7069fecd5b6a52fc5edb04bfa3dd87d39

SHA512
e91e629a0beeaefe1622d6b111d6c618c2e5a02e10c6ef21bf76283ddce7a2e9753f2520a91013bd3dfd6f0a1d4bc9651901ba553d765f80fd8f960451dedfb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hm4pgakb.ile.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF770.tmp

Filesize
1KB

MD5
0dfb0484ca4f06021f68cd184fa4e7f4

SHA1
70bfa3e8db95354826603d84ad6958b7029b7082

SHA256
83a36d18f77f89837dcdac76cad20cb37a50ba44f1f3ccb00e44ea6e29e26258

SHA512
d46bddc6827faab06ff67edd69f51113ff6a451afeccc383dc7cba93b1b8d8a0c60b8224d6f47468c95779ff1c0da1add778050edfa7ea8039d2a08f449da15d

Download Submit
memory/1372-4-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/1372-5-0x0000000005290000-0x000000000529A000-memory.dmp

Filesize
40KB

Download
memory/1372-6-0x0000000005280000-0x0000000005296000-memory.dmp

Filesize
88KB

Download
memory/1372-7-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/1372-8-0x00000000056E0000-0x0000000005740000-memory.dmp

Filesize
384KB

Download
memory/1372-9-0x00000000083C0000-0x000000000845C000-memory.dmp

Filesize
624KB

Download
memory/1372-10-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/1372-43-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/1372-3-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/1372-1-0x0000000000650000-0x00000000006F2000-memory.dmp

Filesize
648KB

Download
memory/1372-11-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/1372-2-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/1372-0-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/1784-82-0x00000000070C0000-0x00000000070CA000-memory.dmp

Filesize
40KB

Download
memory/1784-59-0x0000000071600000-0x000000007164C000-memory.dmp

Filesize
304KB

Download
memory/1784-32-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/1784-17-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/1784-44-0x0000000005820000-0x0000000005B74000-memory.dmp

Filesize
3.3MB

Download
memory/1784-95-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/1784-19-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1784-25-0x00000000054A0000-0x00000000054C2000-memory.dmp

Filesize
136KB

Download
memory/1784-88-0x0000000007370000-0x0000000007378000-memory.dmp

Filesize
32KB

Download
memory/1784-87-0x0000000007390000-0x00000000073AA000-memory.dmp

Filesize
104KB

Download
memory/1784-84-0x0000000007250000-0x0000000007261000-memory.dmp

Filesize
68KB

Download
memory/1784-83-0x00000000072D0000-0x0000000007366000-memory.dmp

Filesize
600KB

Download
memory/1784-20-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/1784-16-0x0000000004780000-0x00000000047B6000-memory.dmp

Filesize
216KB

Download
memory/1784-18-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/1784-80-0x00000000076A0000-0x0000000007D1A000-memory.dmp

Filesize
6.5MB

Download
memory/1784-56-0x0000000006360000-0x0000000006392000-memory.dmp

Filesize
200KB

Download
memory/1784-55-0x000000007EF90000-0x000000007EFA0000-memory.dmp

Filesize
64KB

Download
memory/2340-79-0x00000000068F0000-0x0000000006993000-memory.dmp

Filesize
652KB

Download
memory/2340-86-0x0000000007800000-0x0000000007814000-memory.dmp

Filesize
80KB

Download
memory/2340-70-0x0000000006860000-0x000000000687E000-memory.dmp

Filesize
120KB

Download
memory/2340-57-0x0000000071600000-0x000000007164C000-memory.dmp

Filesize
304KB

Download
memory/2340-58-0x000000007FDD0000-0x000000007FDE0000-memory.dmp

Filesize
64KB

Download
memory/2340-81-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/2340-54-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2340-22-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2340-21-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2340-24-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2340-85-0x00000000077F0000-0x00000000077FE000-memory.dmp

Filesize
56KB

Download
memory/2340-34-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/2340-53-0x00000000062F0000-0x000000000633C000-memory.dmp

Filesize
304KB

Download
memory/2340-52-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/2340-94-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4952-42-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-51-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4952-96-0x0000000006340000-0x0000000006390000-memory.dmp

Filesize
320KB

Download
memory/4952-97-0x0000000006560000-0x0000000006722000-memory.dmp

Filesize
1.8MB

Download
memory/4952-98-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-99-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download