snakekeylogger | cee601c8a8d2220d65d6457c6e793ad7a34b08bc6b1ec2d36ed5c8cf50d4c93f

General

Target

0660a83db4bc57f237ce3f736e939f65.exe
Size

818KB
MD5

0660a83db4bc57f237ce3f736e939f65
SHA1

8c26f425b647fc18f08d05bae621bc8ea7ebb9e4
SHA256

cee601c8a8d2220d65d6457c6e793ad7a34b08bc6b1ec2d36ed5c8cf50d4c93f
SHA512

b1a8bda867e81c16a36809b6108c8067ccc5ef92fec4c4164fef888b4ef313db3abf6b0a863255a07169434952e53e8817c1cad5b0f794bdf5cc610b78a63689
SSDEEP

12288:mqnB3Tp+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvXWPzVq/Z:mqppPBG9V8w61edIuBCs1G+

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.mpjewellers.com
Port:
587
Username:
[email protected]
Password:
mpjw2013
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2672-15-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2672-16-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2672-19-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2672-21-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2672-23-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
4 freegeoip.app
5 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

0660a83db4bc57f237ce3f736e939f65.exe

description pid process target process

PID 2528 set thread context of 2672 2528 0660a83db4bc57f237ce3f736e939f65.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2856 2672 WerFault.exe RegSvcs.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2896 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0660a83db4bc57f237ce3f736e939f65.exeRegSvcs.exe

pid process

2528 0660a83db4bc57f237ce3f736e939f65.exe
2672 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0660a83db4bc57f237ce3f736e939f65.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2528 0660a83db4bc57f237ce3f736e939f65.exe
Token: SeDebugPrivilege 2672 RegSvcs.exe

flow	ioc
2	checkip.dyndns.org
4	freegeoip.app
5	freegeoip.app

description	pid	process	target process
PID 2528 set thread context of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe

pid	pid_target	process	target process
2856	2672	WerFault.exe	RegSvcs.exe

pid	process
2896	schtasks.exe

pid	process
2528	0660a83db4bc57f237ce3f736e939f65.exe
2672	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2528	0660a83db4bc57f237ce3f736e939f65.exe
Token: SeDebugPrivilege	2672	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0660a83db4bc57f237ce3f736e939f65.exeRegSvcs.exe

description	pid	process	target process
PID 2528 wrote to memory of 2896	2528	0660a83db4bc57f237ce3f736e939f65.exe	schtasks.exe
PID 2528 wrote to memory of 2896	2528	0660a83db4bc57f237ce3f736e939f65.exe	schtasks.exe
PID 2528 wrote to memory of 2896	2528	0660a83db4bc57f237ce3f736e939f65.exe	schtasks.exe
PID 2528 wrote to memory of 2896	2528	0660a83db4bc57f237ce3f736e939f65.exe	schtasks.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2528 wrote to memory of 2672	2528	0660a83db4bc57f237ce3f736e939f65.exe	RegSvcs.exe
PID 2672 wrote to memory of 2856	2672	RegSvcs.exe	WerFault.exe
PID 2672 wrote to memory of 2856	2672	RegSvcs.exe	WerFault.exe
PID 2672 wrote to memory of 2856	2672	RegSvcs.exe	WerFault.exe
PID 2672 wrote to memory of 2856	2672	RegSvcs.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0660a83db4bc57f237ce3f736e939f65.exe
"C:\Users\Admin\AppData\Local\Temp\0660a83db4bc57f237ce3f736e939f65.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDtqckbCHv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3082.tmp"
2⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1496
3⤵
- Program crash
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3082.tmp

Filesize
1KB

MD5
8cbfe32279342fe472ed69ca494e6202

SHA1
6adc97b6b2aecb98df1b68e35f8705bbedb4d5e2

SHA256
9ff95d64f957aa5e18eafe7bf9944c901992f9cf32c8cceea2709785a868da76

SHA512
5f4b272121889671f57be5a5cef240b5c5e6cfa004e87c702fd0d4e41cff55e55d928c6f23b1b2aa196450f732b4ca96ffc564e51db1f8e52d66a91dc9b152e3

Download Submit
memory/2528-0-0x0000000000D80000-0x0000000000E52000-memory.dmp

Filesize
840KB

Download
memory/2528-1-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2528-2-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2528-3-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/2528-4-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2528-5-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2528-6-0x0000000007D70000-0x0000000007E18000-memory.dmp

Filesize
672KB

Download
memory/2528-7-0x0000000000A00000-0x0000000000A64000-memory.dmp

Filesize
400KB

Download
memory/2528-25-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2672-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2672-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2672-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2672-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2672-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2672-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2672-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2672-24-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-26-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2672-27-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2672-28-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads