snakekeylogger | dd85a193900788d9b13eabcaa02085cdf8a72cb5d3d4e3444ec1bd741c6721f2

General

Target

AWB5331810761.exe
Size

517KB
MD5

fa7c160068137a6169be8bcaa00e408c
SHA1

8028763154b40c81ae85eb6dbf1dcc7d834b96d3
SHA256

dd85a193900788d9b13eabcaa02085cdf8a72cb5d3d4e3444ec1bd741c6721f2
SHA512

ae5dc7d46f154eb7db4da0f6a3db098c7cd51e49a8905facb340a76f3b9be335d3d909cd70f1d337da8dfa541c0bf8202cedcb3c3598ff755b1ee64aa6a88e79
SSDEEP

12288:Y45+po2MokrGa1hhBJx6/X3lmz3rIcjM6/oJXG:b+pJ+Ka/hBj6/HQJj9/O

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2636-21-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2636-23-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2636-27-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2636-29-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2636-31-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2032-38-0x0000000002510000-0x0000000002550000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

AWB5331810761.exe

description pid process target process

PID 3008 set thread context of 2636 3008 AWB5331810761.exe AWB5331810761.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1200 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AWB5331810761.exepowershell.exe

pid process

2636 AWB5331810761.exe
2032 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AWB5331810761.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2636 AWB5331810761.exe
Token: SeDebugPrivilege 2032 powershell.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 3008 set thread context of 2636	3008	AWB5331810761.exe	AWB5331810761.exe

pid	process
1200	schtasks.exe

pid	process
2636	AWB5331810761.exe
2032	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2636	AWB5331810761.exe
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

AWB5331810761.exe

description	pid	process	target process
PID 3008 wrote to memory of 2032	3008	AWB5331810761.exe	powershell.exe
PID 3008 wrote to memory of 2032	3008	AWB5331810761.exe	powershell.exe
PID 3008 wrote to memory of 2032	3008	AWB5331810761.exe	powershell.exe
PID 3008 wrote to memory of 2032	3008	AWB5331810761.exe	powershell.exe
PID 3008 wrote to memory of 1200	3008	AWB5331810761.exe	schtasks.exe
PID 3008 wrote to memory of 1200	3008	AWB5331810761.exe	schtasks.exe
PID 3008 wrote to memory of 1200	3008	AWB5331810761.exe	schtasks.exe
PID 3008 wrote to memory of 1200	3008	AWB5331810761.exe	schtasks.exe
PID 3008 wrote to memory of 2636	3008	AWB5331810761.exe	AWB5331810761.exe
PID 3008 wrote to memory of 2636	3008	AWB5331810761.exe	AWB5331810761.exe
PID 3008 wrote to memory of 2636	3008	AWB5331810761.exe	AWB5331810761.exe
PID 3008 wrote to memory of 2636	3008	AWB5331810761.exe	AWB5331810761.exe
PID 3008 wrote to memory of 2636	3008	AWB5331810761.exe	AWB5331810761.exe
PID 3008 wrote to memory of 2636	3008	AWB5331810761.exe	AWB5331810761.exe
PID 3008 wrote to memory of 2636	3008	AWB5331810761.exe	AWB5331810761.exe
PID 3008 wrote to memory of 2636	3008	AWB5331810761.exe	AWB5331810761.exe
PID 3008 wrote to memory of 2636	3008	AWB5331810761.exe	AWB5331810761.exe

C:\Users\Admin\AppData\Local\Temp\AWB5331810761.exe
"C:\Users\Admin\AppData\Local\Temp\AWB5331810761.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eNITHBbuHQIef.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNITHBbuHQIef" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2240.tmp"
2⤵
- Creates scheduled task(s)
PID:1200

C:\Users\Admin\AppData\Local\Temp\AWB5331810761.exe
"C:\Users\Admin\AppData\Local\Temp\AWB5331810761.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2240.tmp

Filesize
1KB

MD5
647952fc2582de8e819c217a201b4251

SHA1
409de7ba5c02d9713af10351de550e853673a8cb

SHA256
d99c2c25dc7075a4f53100eeb4863dd8d38c5ad7c3a740a34ca74e0322e5ac55

SHA512
988acb6b1635b19764f7fcad3678b79ee2f4deb4b9e35954d8b174b97a43e572a30139f5682b058fc87036e993b7fcbca59aaf6b1aa97ddb7b10ac020acfe881

Download Submit
memory/2032-40-0x000000006C150000-0x000000006C6FB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-39-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2032-38-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2032-35-0x000000006C150000-0x000000006C6FB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-34-0x0000000002510000-0x0000000002550000-memory.dmp

Filesize
256KB

Download
memory/2032-33-0x000000006C150000-0x000000006C6FB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-31-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2636-42-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2636-41-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2636-17-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2636-19-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2636-21-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2636-37-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2636-23-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2636-27-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2636-29-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2636-36-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-32-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-6-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/3008-5-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/3008-4-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/3008-8-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-3-0x0000000000670000-0x0000000000688000-memory.dmp

Filesize
96KB

Download
memory/3008-0-0x0000000000F00000-0x0000000000F88000-memory.dmp

Filesize
544KB

Download
memory/3008-2-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/3008-1-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-7-0x0000000004FD0000-0x0000000005030000-memory.dmp

Filesize
384KB

Download
memory/3008-9-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads