snakekeylogger | 96007bdda9d12cf59fd2844843f62d3a86b85cb732ee76004e2f93ac38d8c8af

General

Target

033464d80692b6ffd9f6938d8dca921b.exe
Size

806KB
MD5

033464d80692b6ffd9f6938d8dca921b
SHA1

5463c7b2e3928d029d9ef4e9ae834994b8650d13
SHA256

96007bdda9d12cf59fd2844843f62d3a86b85cb732ee76004e2f93ac38d8c8af
SHA512

3c439e201b019bf8a9965211abb10ededdae3c74559ce0fa6c476ddd09743aa280aca074be85d8a450be607fb4998fc1f39cffbd481bf0189bcdca5bddef0fd0
SSDEEP

3072:2lSqfUfx0swpErm4ymFvR1pKucd78GMupAuFP27hIbf1sPzUgIAzI9+mCz7C3BfU:NqAxspJ45j+uZXu9EIBsYg1Cg

Score

10^/10

snakekeylogger zgrat keylogger rat stealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1880141509:AAHjseWsCVnzygKB72YGbdj6S0DpdeKfGSs/sendMessage?chat_id=565072597

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3192-9-0x00000000058A0000-0x00000000058B6000-memory.dmp	family_zgrat_v1

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2404-10-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 checkip.dyndns.org
38 freegeoip.app
39 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

033464d80692b6ffd9f6938d8dca921b.exe

description pid process target process

PID 3192 set thread context of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2280 2404 WerFault.exe 033464d80692b6ffd9f6938d8dca921b.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

033464d80692b6ffd9f6938d8dca921b.exe

pid process

2404 033464d80692b6ffd9f6938d8dca921b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

033464d80692b6ffd9f6938d8dca921b.exe

description pid process

Token: SeDebugPrivilege 2404 033464d80692b6ffd9f6938d8dca921b.exe

flow	ioc
34	checkip.dyndns.org
38	freegeoip.app
39	freegeoip.app

description	pid	process	target process
PID 3192 set thread context of 2404	3192	033464d80692b6ffd9f6938d8dca921b.exe	033464d80692b6ffd9f6938d8dca921b.exe

pid	pid_target	process	target process
2280	2404	WerFault.exe	033464d80692b6ffd9f6938d8dca921b.exe

pid	process
2404	033464d80692b6ffd9f6938d8dca921b.exe

description	pid	process
Token: SeDebugPrivilege	2404	033464d80692b6ffd9f6938d8dca921b.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

033464d80692b6ffd9f6938d8dca921b.exe

description	pid	process	target process
PID 3192 wrote to memory of 2404	3192	033464d80692b6ffd9f6938d8dca921b.exe	033464d80692b6ffd9f6938d8dca921b.exe
PID 3192 wrote to memory of 2404	3192	033464d80692b6ffd9f6938d8dca921b.exe	033464d80692b6ffd9f6938d8dca921b.exe
PID 3192 wrote to memory of 2404	3192	033464d80692b6ffd9f6938d8dca921b.exe	033464d80692b6ffd9f6938d8dca921b.exe
PID 3192 wrote to memory of 2404	3192	033464d80692b6ffd9f6938d8dca921b.exe	033464d80692b6ffd9f6938d8dca921b.exe
PID 3192 wrote to memory of 2404	3192	033464d80692b6ffd9f6938d8dca921b.exe	033464d80692b6ffd9f6938d8dca921b.exe
PID 3192 wrote to memory of 2404	3192	033464d80692b6ffd9f6938d8dca921b.exe	033464d80692b6ffd9f6938d8dca921b.exe
PID 3192 wrote to memory of 2404	3192	033464d80692b6ffd9f6938d8dca921b.exe	033464d80692b6ffd9f6938d8dca921b.exe
PID 3192 wrote to memory of 2404	3192	033464d80692b6ffd9f6938d8dca921b.exe	033464d80692b6ffd9f6938d8dca921b.exe

C:\Users\Admin\AppData\Local\Temp\033464d80692b6ffd9f6938d8dca921b.exe
"C:\Users\Admin\AppData\Local\Temp\033464d80692b6ffd9f6938d8dca921b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\033464d80692b6ffd9f6938d8dca921b.exe
"C:\Users\Admin\AppData\Local\Temp\033464d80692b6ffd9f6938d8dca921b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1816
3⤵
- Program crash
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2404 -ip 2404
1⤵
PID:4124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\033464d80692b6ffd9f6938d8dca921b.exe.log

Filesize
886B

MD5
e15936e36b221de74505dd8f8ce05d91

SHA1
dfe096b87c4f9c82ef96d8680e8dc8d6ab0e876d

SHA256
4aba5e427d42a82df10ce9e5c5869541ff843ef391fea5a25fb41c2d908db868

SHA512
d2cf14cac375edeaa8be04749f910e5809a2b3daf20a47668ce4e4ee7935b87f89d817d71659596c5664a878666df1b43bbef6b9f91636e564a15452735d67bd

Download Submit
memory/2404-13-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/2404-16-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/2404-15-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2404-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3192-4-0x0000000005950000-0x0000000005960000-memory.dmp

Filesize
64KB

Download
memory/3192-6-0x00000000057B0000-0x00000000057F0000-memory.dmp

Filesize
256KB

Download
memory/3192-8-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/3192-7-0x0000000005F10000-0x00000000064B4000-memory.dmp

Filesize
5.6MB

Download
memory/3192-9-0x00000000058A0000-0x00000000058B6000-memory.dmp

Filesize
88KB

Download
memory/3192-5-0x0000000005670000-0x000000000568E000-memory.dmp

Filesize
120KB

Download
memory/3192-14-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3192-0-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/3192-2-0x00000000055F0000-0x0000000005666000-memory.dmp

Filesize
472KB

Download
memory/3192-3-0x0000000005710000-0x00000000057AC000-memory.dmp

Filesize
624KB

Download
memory/3192-1-0x0000000000BB0000-0x0000000000C80000-memory.dmp

Filesize
832KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads