snakekeylogger | e54a637c5bc8ae8f50e28409b80f098a10cef38ae65e2adff8044e0349fcf8e0

Analysis

max time kernel
19s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 05:27

Target

Order Inquiry.exe
Size

772KB
MD5

cc5eb59cb99d6c5ff4f8dbb39c3ac85a
SHA1

db3637757ec6398f74911598b78fb67779cfa881
SHA256

a7861637b7c5aca5ec97ec9b14ff793aa6e227f0c7af740350d9134225bd3c2c
SHA512

3e9b508b5bc593df4b1ac2151d4142905f260336342579d3fe1eda96390b8752b863557a2dd4d0ab0f918a4417579d06e181d499aa47545cab119483babf6ce2
SSDEEP

12288:RJpHCmbiNIwPfWeBpD1tM2MH6YZLuKw3WDJV733EgpAcLxzbHpGFo:tCFPNpD1tM2MTZLE6I

Score

10^/10

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2712-23-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger
behavioral1/memory/2712-20-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger
behavioral1/memory/2712-16-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger
behavioral1/memory/2712-14-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger
behavioral1/memory/2712-9-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger
behavioral1/memory/2712-10-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order Inquiry.exe

description pid process target process

PID 2036 set thread context of 2712 2036 Order Inquiry.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

2712 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2712 RegAsm.exe

flow	ioc
2	checkip.dyndns.org

description	pid	process	target process
PID 2036 set thread context of 2712	2036	Order Inquiry.exe	RegAsm.exe

pid	process
2712	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2712	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Order Inquiry.exe

description	pid	process	target process
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe
PID 2036 wrote to memory of 2712	2036	Order Inquiry.exe	RegAsm.exe

memory/2036-15-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2036-1-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2036-2-0x0000000000AD0000-0x0000000000B24000-memory.dmp

Filesize
336KB

Download
memory/2036-3-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/2036-4-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/2036-0-0x0000000001340000-0x0000000001406000-memory.dmp

Filesize
792KB

Download
memory/2712-16-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2712-20-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2712-23-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2712-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-14-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2712-9-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2712-10-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2712-7-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2712-5-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download