snakekeylogger | 2c5edc6480fe0c2912dd55fcd4d63c494e425c7466ce5655e1ebc076a0d8d389

General

Target

cargo details.exe
Size

356KB
MD5

c6e93bb1fe3776c6fab7c4dbf5ad9aa7
SHA1

9c8101b401864743b197029a2ceb97dcb4dc8a27
SHA256

2c5edc6480fe0c2912dd55fcd4d63c494e425c7466ce5655e1ebc076a0d8d389
SHA512

8f4e99d17ba28e12df64be1a25c8c0c30bc52cee79b1952b813a6d4c264fcf14e96ba7c430a2f4724d7081cf827bd5dcf319ffdf01096c91ad63ce35802fdaf5
SSDEEP

6144:KGml3pBvuZ3UAwhUWsnC93yYkBxG8Vm5Lmv/tXGAunkc8sUnerSXE:KGml5B2BUJACxyvBxnHv/t2Ask3ng

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/212-8-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cargo details.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cargo details.exe
Key opened	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cargo details.exe
Key opened	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cargo details.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

cargo details.exe

description pid process target process

PID 1864 set thread context of 212 1864 cargo details.exe cargo details.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cargo details.exe

pid process

212 cargo details.exe
212 cargo details.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cargo details.exe

description pid process

Token: SeDebugPrivilege 212 cargo details.exe

flow	ioc
8	checkip.dyndns.org

description	pid	process	target process
PID 1864 set thread context of 212	1864	cargo details.exe	cargo details.exe

pid	process
212	cargo details.exe
212	cargo details.exe

description	pid	process
Token: SeDebugPrivilege	212	cargo details.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cargo details.exe

description	pid	process	target process
PID 1864 wrote to memory of 212	1864	cargo details.exe	cargo details.exe
PID 1864 wrote to memory of 212	1864	cargo details.exe	cargo details.exe
PID 1864 wrote to memory of 212	1864	cargo details.exe	cargo details.exe
PID 1864 wrote to memory of 212	1864	cargo details.exe	cargo details.exe
PID 1864 wrote to memory of 212	1864	cargo details.exe	cargo details.exe
PID 1864 wrote to memory of 212	1864	cargo details.exe	cargo details.exe
PID 1864 wrote to memory of 212	1864	cargo details.exe	cargo details.exe
PID 1864 wrote to memory of 212	1864	cargo details.exe	cargo details.exe

outlook_office_path 1 IoCs

Processes:

cargo details.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cargo details.exe

outlook_win_path 1 IoCs

Processes:

cargo details.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cargo details.exe

C:\Users\Admin\AppData\Local\Temp\cargo details.exe
"C:\Users\Admin\AppData\Local\Temp\cargo details.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\cargo details.exe
"C:\Users\Admin\AppData\Local\Temp\cargo details.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cargo details.exe.log

Filesize
706B

MD5
f8bcaf312de8591707436c1dcebba8e4

SHA1
a1269828e5f644601622f4a7a611aec8f2eda0b2

SHA256
f0f5a90777c70cdceea22bd66b33c1703a318acc45cb012d0b01585a1ac12b29

SHA512
3a714f5950584abbc94a27bbd4623bfc5acb1135c8c9fca4d74e70c8481b71ace7dbc1dfbf101dd07c76a050acfb4852f31dd57fc7ae196382336c5edc9e6413

Download Submit
memory/212-13-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/212-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/212-18-0x0000000006D20000-0x0000000006D2A000-memory.dmp

Filesize
40KB

Download
memory/212-17-0x0000000006D90000-0x0000000006F52000-memory.dmp

Filesize
1.8MB

Download
memory/212-16-0x0000000006B70000-0x0000000006BC0000-memory.dmp

Filesize
320KB

Download
memory/212-15-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/212-14-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/212-12-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1864-6-0x0000000005940000-0x00000000059DC000-memory.dmp

Filesize
624KB

Download
memory/1864-5-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/1864-2-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/1864-0-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1864-7-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/1864-3-0x00000000056E0000-0x0000000005734000-memory.dmp

Filesize
336KB

Download
memory/1864-11-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/1864-4-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/1864-1-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads