snakekeylogger | 486032726bf8f655211586986bdc0e49f0149c0a85cfaebf1ff8c28e0587bc85

Analysis

max time kernel
40s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

115f6d94f2fd77eda6b81780e8051f0d.exe
Size

665KB
MD5

115f6d94f2fd77eda6b81780e8051f0d
SHA1

984bc609ef9c5da154a3d442051f3a9a0725ee23
SHA256

486032726bf8f655211586986bdc0e49f0149c0a85cfaebf1ff8c28e0587bc85
SHA512

f4c00cbc727885c482a752322844775fcbf854c1607966654307e9c9077060689050a5326bbacee278c4e04024a29f945a5622384c788d9f4f65a50f4ad035b3
SSDEEP

12288:tCtQvsls8COsBgo0q4wM90bVCW1VaZ3YDeoyi8hJHf5gCyKtytmLa:tCtQvwCOsBgo0q4wMSb31VaVUDyiAKCc

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Chukwudim28@
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-18-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/1172-8-0x0000000005340000-0x0000000005352000-memory.dmp	CustAttr

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

114 freegeoip.app
115 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

388 3212 WerFault.exe 115f6d94f2fd77eda6b81780e8051f0d.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4956 schtasks.exe

flow	ioc
114	freegeoip.app
115	freegeoip.app

pid	pid_target	process	target process
388	3212	WerFault.exe	115f6d94f2fd77eda6b81780e8051f0d.exe

pid	process
4956	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\115f6d94f2fd77eda6b81780e8051f0d.exe
"C:\Users\Admin\AppData\Local\Temp\115f6d94f2fd77eda6b81780e8051f0d.exe"
1⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\115f6d94f2fd77eda6b81780e8051f0d.exe
"C:\Users\Admin\AppData\Local\Temp\115f6d94f2fd77eda6b81780e8051f0d.exe"
2⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1788
3⤵
- Program crash
PID:388

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IcgsvUnXJyQrdo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1B3.tmp"
2⤵
- Creates scheduled task(s)
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3212 -ip 3212
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-8-0x0000000005340000-0x0000000005352000-memory.dmp

Filesize
72KB

Download
memory/1172-3-0x0000000005FE0000-0x0000000006584000-memory.dmp

Filesize
5.6MB

Download
memory/1172-9-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/1172-10-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/1172-5-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/1172-7-0x0000000005CD0000-0x0000000005D26000-memory.dmp

Filesize
344KB

Download
memory/1172-6-0x0000000005980000-0x000000000598A000-memory.dmp

Filesize
40KB

Download
memory/1172-0-0x0000000000EE0000-0x0000000000F8C000-memory.dmp

Filesize
688KB

Download
memory/1172-1-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/1172-2-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/1172-4-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/1172-12-0x00000000070E0000-0x000000000710A000-memory.dmp

Filesize
168KB

Download
memory/1172-11-0x0000000008380000-0x00000000083EA000-memory.dmp

Filesize
424KB

Download
memory/1172-22-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3212-21-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3212-23-0x0000000005B80000-0x0000000005B90000-memory.dmp

Filesize
64KB

Download
memory/3212-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3212-24-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download