snakekeylogger | 0dd188237a562417f239ff9be662f9336ec77a0906af62c26516a8e6f767f9f5

General

Target

Voyage Orders.exe
Size

489KB
MD5

73d48d44751c6d0241ac26c1123822be
SHA1

d794d3df6027c438f86c3418216ff9e18f32c5b8
SHA256

0dd188237a562417f239ff9be662f9336ec77a0906af62c26516a8e6f767f9f5
SHA512

5bc2e07fa120e4392d08f5930d82e0849555522338b625ae247fde4c913528e41421b387b00a6a3741556b97bbabb45bb296fd702422da44af9ede5048d8adbe
SSDEEP

12288:yrpviYJS8EtOcpAT35CPA7kyig/jZnP55oM:yrpasS8qOcCCPA7kyigLN0M

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2020-12-0x0000000000350000-0x0000000000376000-memory.dmp	family_snakekeylogger
behavioral2/memory/2020-13-0x0000000004EE0000-0x0000000004EF0000-memory.dmp	family_snakekeylogger

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Voyage Orders.exe

description pid process target process

PID 4984 set thread context of 2020 4984 Voyage Orders.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3780 2020 WerFault.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exe

pid process

2020 RegAsm.exe
2020 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2020 RegAsm.exe

flow	ioc
33	checkip.dyndns.org

description	pid	process	target process
PID 4984 set thread context of 2020	4984	Voyage Orders.exe	RegAsm.exe

pid	pid_target	process	target process
3780	2020	WerFault.exe	RegAsm.exe

pid	process
2020	RegAsm.exe
2020	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2020	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Voyage Orders.exe

description	pid	process	target process
PID 4984 wrote to memory of 2020	4984	Voyage Orders.exe	RegAsm.exe
PID 4984 wrote to memory of 2020	4984	Voyage Orders.exe	RegAsm.exe
PID 4984 wrote to memory of 2020	4984	Voyage Orders.exe	RegAsm.exe
PID 4984 wrote to memory of 2020	4984	Voyage Orders.exe	RegAsm.exe
PID 4984 wrote to memory of 2020	4984	Voyage Orders.exe	RegAsm.exe
PID 4984 wrote to memory of 2020	4984	Voyage Orders.exe	RegAsm.exe
PID 4984 wrote to memory of 2020	4984	Voyage Orders.exe	RegAsm.exe
PID 4984 wrote to memory of 2020	4984	Voyage Orders.exe	RegAsm.exe

outlook_office_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Voyage Orders.exe
"C:\Users\Admin\AppData\Local\Temp\Voyage Orders.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 2152
3⤵
- Program crash
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2020 -ip 2020
1⤵
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-11-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/2020-19-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/2020-18-0x0000000006720000-0x0000000006C4C000-memory.dmp

Filesize
5.2MB

Download
memory/2020-17-0x0000000006020000-0x00000000061E2000-memory.dmp

Filesize
1.8MB

Download
memory/2020-16-0x00000000021E0000-0x0000000002230000-memory.dmp

Filesize
320KB

Download
memory/2020-15-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2020-14-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/2020-13-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/2020-12-0x0000000000350000-0x0000000000376000-memory.dmp

Filesize
152KB

Download
memory/4984-4-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/4984-10-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download
memory/4984-7-0x00000000057E0000-0x00000000057E8000-memory.dmp

Filesize
32KB

Download
memory/4984-6-0x0000000005980000-0x0000000005A1C000-memory.dmp

Filesize
624KB

Download
memory/4984-5-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/4984-0-0x0000000000CE0000-0x0000000000D60000-memory.dmp

Filesize
512KB

Download
memory/4984-2-0x0000000005710000-0x0000000005764000-memory.dmp

Filesize
336KB

Download
memory/4984-3-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4984-1-0x0000000074F70000-0x0000000075720000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads