snakekeylogger | 4da4ec8a7a3b648539a6c58926876bd08bafed5329b52e05a0da9d42365ed229

Analysis

max time kernel
123s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2023 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Productlist4894216.exe
Size

518KB
MD5

ad765d2ef67e4db961aa06c02b8f25cd
SHA1

4785d4998971c1719d064f62f7c939064eb7750c
SHA256

4da4ec8a7a3b648539a6c58926876bd08bafed5329b52e05a0da9d42365ed229
SHA512

9e1e2208cb7182be4ef2ec3251a97791d5ae39cd2938a54558f3b3c9c76980b3d55dc00c2b88c10fdedd2969476aa8530a5f0e4b359dbceef37e7d41dbb65349
SSDEEP

12288:H45+po2oe0Qr02iShrPHNKSBZlY7f79reeEmA6:m+pJPdrfiSps7f7pbT9

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.belt-tech.com.my
Port:
587
Username:
[email protected]
Password:
Beltechpg@1234
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4008-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral2/memory/4008-16-0x0000000004B60000-0x0000000004B70000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Productlist4894216.exe

description pid process target process

PID 2000 set thread context of 4008 2000 Productlist4894216.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegSvcs.exe

pid process

4008 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4008 RegSvcs.exe

flow	ioc
39	checkip.dyndns.org

description	pid	process	target process
PID 2000 set thread context of 4008	2000	Productlist4894216.exe	RegSvcs.exe

pid	process
4008	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4008	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Productlist4894216.exe

description	pid	process	target process
PID 2000 wrote to memory of 4008	2000	Productlist4894216.exe	RegSvcs.exe
PID 2000 wrote to memory of 4008	2000	Productlist4894216.exe	RegSvcs.exe
PID 2000 wrote to memory of 4008	2000	Productlist4894216.exe	RegSvcs.exe
PID 2000 wrote to memory of 4008	2000	Productlist4894216.exe	RegSvcs.exe
PID 2000 wrote to memory of 4008	2000	Productlist4894216.exe	RegSvcs.exe
PID 2000 wrote to memory of 4008	2000	Productlist4894216.exe	RegSvcs.exe
PID 2000 wrote to memory of 4008	2000	Productlist4894216.exe	RegSvcs.exe
PID 2000 wrote to memory of 4008	2000	Productlist4894216.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Productlist4894216.exe
"C:\Users\Admin\AppData\Local\Temp\Productlist4894216.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-9-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/2000-2-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/2000-11-0x00000000061C0000-0x0000000006220000-memory.dmp

Filesize
384KB

Download
memory/2000-3-0x00000000052D0000-0x0000000005874000-memory.dmp

Filesize
5.6MB

Download
memory/2000-4-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/2000-5-0x0000000005000000-0x000000000500A000-memory.dmp

Filesize
40KB

Download
memory/2000-6-0x0000000005010000-0x0000000005028000-memory.dmp

Filesize
96KB

Download
memory/2000-7-0x0000000005050000-0x0000000005058000-memory.dmp

Filesize
32KB

Download
memory/2000-12-0x0000000006020000-0x00000000060BC000-memory.dmp

Filesize
624KB

Download
memory/2000-10-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/2000-1-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/2000-0-0x0000000000200000-0x0000000000288000-memory.dmp

Filesize
544KB

Download
memory/2000-8-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/2000-18-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/2000-17-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4008-15-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4008-16-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4008-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4008-19-0x0000000074940000-0x00000000750F0000-memory.dmp

Filesize
7.7MB

Download
memory/4008-20-0x0000000004B60000-0x0000000004B70000-memory.dmp

Filesize
64KB

Download
memory/4008-21-0x0000000005AE0000-0x0000000005B30000-memory.dmp

Filesize
320KB

Download
memory/4008-22-0x0000000005D00000-0x0000000005EC2000-memory.dmp

Filesize
1.8MB

Download