snakekeylogger | 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd

General

Target

1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
Size

609KB
MD5

fe03b712d2e463fdeb67f9f9f2d98fc9
SHA1

d978aed329e47d47791e13f31fc4aa823e545f89
SHA256

1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd
SHA512

170ca520c7a9489f8245ae18fb3fa5aa7bc1441d183daa4f72e34a3bbbd393ca46427c25a3809fd805c19348eebf880f1b51c4c147b0ddeac8f1aad02fcd3a03
SSDEEP

12288:hMdIt/5J/tXcPl1RWLDmJr4YoKnE5ZrZ4YIfjwIF7:iWBJZ0lSuEbT5ZrlI7ws7

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2680-18-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2680-19-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2680-22-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2680-24-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2680-27-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2920-29-0x00000000026B0000-0x00000000026F0000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe

description	pid	process	target process
PID 2792 set thread context of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2492 2680 WerFault.exe 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1884 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exepowershell.exe

pid process

2680 1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
2920 powershell.exe

pid	pid_target	process	target process
2492	2680	WerFault.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe

pid	process
1884	schtasks.exe

pid	process
2680	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2680	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe

description	pid	process	target process
PID 2792 wrote to memory of 2920	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	powershell.exe
PID 2792 wrote to memory of 2920	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	powershell.exe
PID 2792 wrote to memory of 2920	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	powershell.exe
PID 2792 wrote to memory of 2920	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	powershell.exe
PID 2792 wrote to memory of 1884	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	schtasks.exe
PID 2792 wrote to memory of 1884	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	schtasks.exe
PID 2792 wrote to memory of 1884	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	schtasks.exe
PID 2792 wrote to memory of 1884	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	schtasks.exe
PID 2792 wrote to memory of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
PID 2792 wrote to memory of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
PID 2792 wrote to memory of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
PID 2792 wrote to memory of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
PID 2792 wrote to memory of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
PID 2792 wrote to memory of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
PID 2792 wrote to memory of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
PID 2792 wrote to memory of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
PID 2792 wrote to memory of 2680	2792	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
PID 2680 wrote to memory of 2492	2680	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	WerFault.exe
PID 2680 wrote to memory of 2492	2680	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	WerFault.exe
PID 2680 wrote to memory of 2492	2680	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	WerFault.exe
PID 2680 wrote to memory of 2492	2680	1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
"C:\Users\Admin\AppData\Local\Temp\1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DTeVcECl.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DTeVcECl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70FB.tmp"
2⤵
- Creates scheduled task(s)
PID:1884

C:\Users\Admin\AppData\Local\Temp\1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe
"C:\Users\Admin\AppData\Local\Temp\1ab6ad1baf7099b79f78d5cc575dc08d33320b1f607b6fa038432c3a27fb2dfd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1080
3⤵
- Program crash
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp70FB.tmp

Filesize
1KB

MD5
04db7aadb4725455c541a2f7e7b1dc31

SHA1
8f417008a5fa627b1f689e6c8b8dffe383768084

SHA256
9dbe00592a25385949d3e2994252973d8ea71aae64be6e2ac8073b1eb4c3109c

SHA512
a7c19df6bbcacac70cea9c9d9cc6cf8e7355660b06814c012e9c9b0dca753329ef7aabbf44f6c8f052b3eb7c15dad9878e76e32660bc7173a424ad6527835238

Download Submit
memory/2680-27-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2680-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2680-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2680-22-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2680-19-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2680-34-0x0000000072320000-0x0000000072A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-30-0x0000000072320000-0x0000000072A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2680-24-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2680-35-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/2680-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2680-17-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2792-3-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/2792-6-0x0000000005CE0000-0x0000000005D40000-memory.dmp

Filesize
384KB

Download
memory/2792-2-0x00000000005F0000-0x0000000000630000-memory.dmp

Filesize
256KB

Download
memory/2792-4-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/2792-25-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-8-0x00000000005F0000-0x0000000000630000-memory.dmp

Filesize
256KB

Download
memory/2792-0-0x00000000001B0000-0x000000000024E000-memory.dmp

Filesize
632KB

Download
memory/2792-1-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-5-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/2792-7-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2920-28-0x000000006E4F0000-0x000000006EA9B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-32-0x000000006E4F0000-0x000000006EA9B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-33-0x000000006E4F0000-0x000000006EA9B000-memory.dmp

Filesize
5.7MB

Download
memory/2920-31-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2920-29-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads