snakekeylogger | 3198d00651176dccb2f68869fd1fb7882daa1073006b963b2dc254f4e28fddf2

General

Target

REMITTANCE SWIFT.exe
Size

613KB
MD5

f31bad5c33706d19bb437286c611c96f
SHA1

b1c62e91f2d3a639bc457594184d01ed70fbe70b
SHA256

3198d00651176dccb2f68869fd1fb7882daa1073006b963b2dc254f4e28fddf2
SHA512

5af7aa0e49031c4e12935555e8cae35611382b583ff1596215bdebf78946fe5fa36c93a322aa12275c359ef30cd50a7dedee526b0d5a1f0f1bbeed957898b617
SSDEEP

12288:UG5nF8ME6jD/cddS/YNsSGxc1wYGDYkPX19oFppwsW:UGPtD/SdS/YNsbxcfzkPXwHF

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.alualuminium.com.my
Port:
587
Username:
[email protected]
Password:
U8G4S13#8Zk$
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2568-24-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-34-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-32-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-30-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2568-26-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2720-47-0x0000000002CF0000-0x0000000002D30000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1888 2568 WerFault.exe REMITTANCE SWIFT.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2668 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

REMITTANCE SWIFT.exe

pid process

1720 REMITTANCE SWIFT.exe
1720 REMITTANCE SWIFT.exe
1720 REMITTANCE SWIFT.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

REMITTANCE SWIFT.exe

description pid process

Token: SeDebugPrivilege 1720 REMITTANCE SWIFT.exe

flow	ioc
2	checkip.dyndns.org

pid	pid_target	process	target process
1888	2568	WerFault.exe	REMITTANCE SWIFT.exe

pid	process
2668	schtasks.exe

pid	process
1720	REMITTANCE SWIFT.exe
1720	REMITTANCE SWIFT.exe
1720	REMITTANCE SWIFT.exe

description	pid	process
Token: SeDebugPrivilege	1720	REMITTANCE SWIFT.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

REMITTANCE SWIFT.exe

description	pid	process	target process
PID 1720 wrote to memory of 2720	1720	REMITTANCE SWIFT.exe	powershell.exe
PID 1720 wrote to memory of 2720	1720	REMITTANCE SWIFT.exe	powershell.exe
PID 1720 wrote to memory of 2720	1720	REMITTANCE SWIFT.exe	powershell.exe
PID 1720 wrote to memory of 2720	1720	REMITTANCE SWIFT.exe	powershell.exe
PID 1720 wrote to memory of 2908	1720	REMITTANCE SWIFT.exe	powershell.exe
PID 1720 wrote to memory of 2908	1720	REMITTANCE SWIFT.exe	powershell.exe
PID 1720 wrote to memory of 2908	1720	REMITTANCE SWIFT.exe	powershell.exe
PID 1720 wrote to memory of 2908	1720	REMITTANCE SWIFT.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe"
2⤵
PID:2720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GgPjILmv.exe"
2⤵
PID:2908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GgPjILmv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5BB7.tmp"
2⤵
- Creates scheduled task(s)
PID:2668

C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe"
2⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 972
3⤵
- Program crash
PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5BB7.tmp

Filesize
1KB

MD5
82ecaaa83667cdff5ba57105ae52e257

SHA1
c951190422f0088384b2be00f4cb01a45453ca13

SHA256
d27ef74aa35ec4cca645e295300489a413a9165cf9f192a3108eea9892f5609d

SHA512
9a2f6b12f90cbfb1501164b5c788c15f5db4e25833036e1516612d4d60aab3d35691ef8395e84f5cabcf055c0aa1040a500dd19223c1d39a1c10c83384dc8200

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LHVYRIPM6RXLRA7HMSL0.temp

Filesize
7KB

MD5
45fe4efbf6e784210b5765b71cdfda1a

SHA1
6be33a987249bf8e842c92b16867095b723b22a7

SHA256
f51d53b15f3f84c397b946df406bd55c95a3e7a22c71393208ce345d37dbcf5c

SHA512
c4a3648f040f6e950249588097a74cbc97a13165adc6516523b73114372c026a357f3f8f708ce8cf9ecd35875bb6794aca00c08086776c53704ea44edc3421fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
45fe4efbf6e784210b5765b71cdfda1a

SHA1
6be33a987249bf8e842c92b16867095b723b22a7

SHA256
f51d53b15f3f84c397b946df406bd55c95a3e7a22c71393208ce345d37dbcf5c

SHA512
c4a3648f040f6e950249588097a74cbc97a13165adc6516523b73114372c026a357f3f8f708ce8cf9ecd35875bb6794aca00c08086776c53704ea44edc3421fe

Download Submit
memory/1720-3-0x0000000000630000-0x0000000000648000-memory.dmp

Filesize
96KB

Download
memory/1720-4-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/1720-5-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/1720-6-0x0000000004DB0000-0x0000000004E10000-memory.dmp

Filesize
384KB

Download
memory/1720-7-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-35-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-2-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/1720-1-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-0-0x0000000000230000-0x00000000002D0000-memory.dmp

Filesize
640KB

Download
memory/1720-22-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/2568-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2568-43-0x0000000004890000-0x00000000048D0000-memory.dmp

Filesize
256KB

Download
memory/2568-34-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2568-23-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2568-32-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2568-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2568-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-26-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2568-51-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-50-0x0000000004890000-0x00000000048D0000-memory.dmp

Filesize
256KB

Download
memory/2568-24-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2568-45-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-47-0x0000000002CF0000-0x0000000002D30000-memory.dmp

Filesize
256KB

Download
memory/2720-46-0x0000000002CF0000-0x0000000002D30000-memory.dmp

Filesize
256KB

Download
memory/2720-40-0x000000006EFF0000-0x000000006F59B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-48-0x000000006EFF0000-0x000000006F59B000-memory.dmp

Filesize
5.7MB

Download
memory/2720-38-0x0000000002CF0000-0x0000000002D30000-memory.dmp

Filesize
256KB

Download
memory/2720-36-0x000000006EFF0000-0x000000006F59B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-42-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2908-44-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2908-41-0x000000006EFF0000-0x000000006F59B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-39-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2908-49-0x000000006EFF0000-0x000000006F59B000-memory.dmp

Filesize
5.7MB

Download
memory/2908-37-0x000000006EFF0000-0x000000006F59B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads