snakekeylogger | 1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50

General

Target

payment-534.pdf.exe
Size

1.1MB
MD5

fcbb18ac3efebbcbe42999b718ba2995
SHA1

8771d111792d957cbf775c7eecd743be4b49d0a7
SHA256

1d16237ed75b507f03609ede9722fff429f9a7386c4c4408a9f47623d7a28b50
SHA512

84ee10f0f75694d3dfca2c67e2899cfc0b31ffb9cdfdd4b8666d8f68ab1acc9be6da02e354a14a070b51ea173b36030e492047df6a1d3f2f5bd1679f817a9cc1
SSDEEP

24576:mYrGdfC41+CruFtTRXispYjwLf1JxuAnHWsKjIo1zMh:FZ41+CraTRXikxJsAnHWsKso1zMh

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
megatechcontrol.com
Port:
587
Username:
[email protected]
Password:
megatech1#

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2664-9-0x0000000000400000-0x000000000047C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2664-17-0x0000000000400000-0x000000000047C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2664-15-0x0000000000400000-0x000000000047C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2664-13-0x0000000000400000-0x000000000047C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2664-10-0x0000000000400000-0x000000000047C000-memory.dmp	family_snakekeylogger

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

payment-534.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	payment-534.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	payment-534.pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	payment-534.pdf.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

payment-534.pdf.exe

description pid process target process

PID 1992 set thread context of 2664 1992 payment-534.pdf.exe payment-534.pdf.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

payment-534.pdf.exe

pid process

2664 payment-534.pdf.exe
2664 payment-534.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

payment-534.pdf.exe

description pid process

Token: SeDebugPrivilege 2664 payment-534.pdf.exe

flow	ioc
2	checkip.dyndns.org

description	pid	process	target process
PID 1992 set thread context of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe

pid	process
2664	payment-534.pdf.exe
2664	payment-534.pdf.exe

description	pid	process
Token: SeDebugPrivilege	2664	payment-534.pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

payment-534.pdf.exe

description	pid	process	target process
PID 1992 wrote to memory of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe
PID 1992 wrote to memory of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe
PID 1992 wrote to memory of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe
PID 1992 wrote to memory of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe
PID 1992 wrote to memory of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe
PID 1992 wrote to memory of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe
PID 1992 wrote to memory of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe
PID 1992 wrote to memory of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe
PID 1992 wrote to memory of 2664	1992	payment-534.pdf.exe	payment-534.pdf.exe

outlook_office_path 1 IoCs

Processes:

payment-534.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	payment-534.pdf.exe

outlook_win_path 1 IoCs

Processes:

payment-534.pdf.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	payment-534.pdf.exe

C:\Users\Admin\AppData\Local\Temp\payment-534.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\payment-534.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\payment-534.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\payment-534.pdf.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-0-0x0000000000E70000-0x0000000000F9C000-memory.dmp

Filesize
1.2MB

Download
memory/1992-1-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-2-0x0000000000410000-0x0000000000450000-memory.dmp

Filesize
256KB

Download
memory/1992-3-0x0000000000550000-0x0000000000568000-memory.dmp

Filesize
96KB

Download
memory/1992-4-0x0000000000B20000-0x0000000000B28000-memory.dmp

Filesize
32KB

Download
memory/1992-5-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/1992-6-0x00000000055E0000-0x00000000056A2000-memory.dmp

Filesize
776KB

Download
memory/1992-18-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-17-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2664-10-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2664-8-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2664-15-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2664-7-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2664-13-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2664-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-9-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2664-20-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/2664-19-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-21-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2664-22-0x0000000000E10000-0x0000000000E76000-memory.dmp

Filesize
408KB

Download
memory/2664-23-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-24-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads