snakekeylogger | fe2ed4220640da4d6e2e1e89e4a0dcc0bb67aaa2905b22276fc8a31ed65ea9e3

General

Target

Contract.exe
Size

635KB
MD5

dd93d84341928fb925e5446b3795cae2
SHA1

60b1c23aa28efb711fce60e82a389635e5e6bbc8
SHA256

fe2ed4220640da4d6e2e1e89e4a0dcc0bb67aaa2905b22276fc8a31ed65ea9e3
SHA512

dfdb35755c63180819f38a0693d6d6bcfc564c8448d15be135f84bd7e7f364d3fe7169bb28e07f0e40fe92f9094ccf2c63bc27768ecf001380922fcb23595987
SSDEEP

12288:pzeMMXRqdK/hWGJG/klXwWFynxWh7OPY6ilWG1gjd7BR6wT:pzeMSREydw/asAhGe/opB

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.mct2.co.za
Port:
587
Username:
[email protected]
Password:
00000

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2992-12-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Contract.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Contract.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Contract.exe
Key opened	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Contract.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Contract.exe

description pid process target process

PID 740 set thread context of 2992 740 Contract.exe Contract.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Contract.exe

pid process

2992 Contract.exe
2992 Contract.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Contract.exe

description pid process

Token: SeDebugPrivilege 2992 Contract.exe

flow	ioc
17	checkip.dyndns.org

description	pid	process	target process
PID 740 set thread context of 2992	740	Contract.exe	Contract.exe

pid	process
2992	Contract.exe
2992	Contract.exe

description	pid	process
Token: SeDebugPrivilege	2992	Contract.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Contract.exe

description	pid	process	target process
PID 740 wrote to memory of 2992	740	Contract.exe	Contract.exe
PID 740 wrote to memory of 2992	740	Contract.exe	Contract.exe
PID 740 wrote to memory of 2992	740	Contract.exe	Contract.exe
PID 740 wrote to memory of 2992	740	Contract.exe	Contract.exe
PID 740 wrote to memory of 2992	740	Contract.exe	Contract.exe
PID 740 wrote to memory of 2992	740	Contract.exe	Contract.exe
PID 740 wrote to memory of 2992	740	Contract.exe	Contract.exe
PID 740 wrote to memory of 2992	740	Contract.exe	Contract.exe

outlook_office_path 1 IoCs

Processes:

Contract.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Contract.exe

outlook_win_path 1 IoCs

Processes:

Contract.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Contract.exe

C:\Users\Admin\AppData\Local\Temp\Contract.exe
"C:\Users\Admin\AppData\Local\Temp\Contract.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\Contract.exe
"C:\Users\Admin\AppData\Local\Temp\Contract.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Contract.exe.log

Filesize
1KB

MD5
8cb8dbbb019a535fe00246c7afdb4270

SHA1
7d4fd9f302e4fc68a6fc3f95f0513c471ebfbb50

SHA256
2c4f3f1d603c33e8410ce061380ec7a1772db21bdc4b01d3ca4067500a391f86

SHA512
abc0cc34903b4d91f9f48ced799ee8019dcaa52f852e2b33cab42e92c3fd80a4ff2c71c12734836288c26165a77daa60badb6f0cc45ee8b6e1b431d3b1952a44

Download Submit
memory/740-10-0x0000000006B50000-0x0000000006BAE000-memory.dmp

Filesize
376KB

Download
memory/740-16-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/740-3-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/740-4-0x0000000005790000-0x000000000583A000-memory.dmp

Filesize
680KB

Download
memory/740-5-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/740-6-0x0000000005670000-0x000000000567A000-memory.dmp

Filesize
40KB

Download
memory/740-7-0x00000000059E0000-0x00000000059FA000-memory.dmp

Filesize
104KB

Download
memory/740-11-0x000000000A6A0000-0x000000000A73C000-memory.dmp

Filesize
624KB

Download
memory/740-9-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/740-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/740-8-0x00000000058D0000-0x00000000058D8000-memory.dmp

Filesize
32KB

Download
memory/740-0-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/740-1-0x0000000000BD0000-0x0000000000C76000-memory.dmp

Filesize
664KB

Download
memory/2992-19-0x00000000064F0000-0x00000000066B2000-memory.dmp

Filesize
1.8MB

Download
memory/2992-15-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2992-17-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/2992-18-0x00000000062D0000-0x0000000006320000-memory.dmp

Filesize
320KB

Download
memory/2992-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2992-20-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2992-21-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads