snakekeylogger | 78c0352da41b3c206b12ea2d8d3f96c33c361e2211437c9746629023b1f0c094

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3988c73d0fe8cc854333752bc9c16413.exe
Size

547KB
MD5

3988c73d0fe8cc854333752bc9c16413
SHA1

607cf59d672fc032bcd63caa0e77b0c3a62121b9
SHA256

78c0352da41b3c206b12ea2d8d3f96c33c361e2211437c9746629023b1f0c094
SHA512

1ac7d447c0ce756af2bfc381dc1c8d939e0e649d76ead8da7d9abd24dee3758192a6bd0cd9bcef5e72f2df507a18a8f1bde3b89867eb17895fb0f18b0faf0744
SSDEEP

12288:iDjhrIh5IkB3OH3tguqnqd6KcuM4ry5ehNhjKUSotTkFW/Y74U:iDjhr0IJ9gydpcB4Q

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
webmail.aquariushotelboutique.com
Port:
25
Username:
[email protected]
Password:
6)fvPIxcEVwT
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

resource	yara_rule
behavioral1/memory/2728-19-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2728-21-0x0000000004BF0000-0x0000000004C30000-memory.dmp	family_snakekeylogger
behavioral1/memory/2728-16-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2728-14-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2728-11-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2728-10-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	checkip.dyndns.org
4	freegeoip.app
5	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2612	2728	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1924	3988c73d0fe8cc854333752bc9c16413.exe
1924	3988c73d0fe8cc854333752bc9c16413.exe
1924	3988c73d0fe8cc854333752bc9c16413.exe
1924	3988c73d0fe8cc854333752bc9c16413.exe
2728	3988c73d0fe8cc854333752bc9c16413.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1924	3988c73d0fe8cc854333752bc9c16413.exe
Token: SeDebugPrivilege	2728	3988c73d0fe8cc854333752bc9c16413.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2768	1924	3988c73d0fe8cc854333752bc9c16413.exe	28
PID 1924 wrote to memory of 2768	1924	3988c73d0fe8cc854333752bc9c16413.exe	28
PID 1924 wrote to memory of 2768	1924	3988c73d0fe8cc854333752bc9c16413.exe	28
PID 1924 wrote to memory of 2768	1924	3988c73d0fe8cc854333752bc9c16413.exe	28
PID 1924 wrote to memory of 2784	1924	3988c73d0fe8cc854333752bc9c16413.exe	32
PID 1924 wrote to memory of 2784	1924	3988c73d0fe8cc854333752bc9c16413.exe	32
PID 1924 wrote to memory of 2784	1924	3988c73d0fe8cc854333752bc9c16413.exe	32
PID 1924 wrote to memory of 2784	1924	3988c73d0fe8cc854333752bc9c16413.exe	32
PID 1924 wrote to memory of 2792	1924	3988c73d0fe8cc854333752bc9c16413.exe	31
PID 1924 wrote to memory of 2792	1924	3988c73d0fe8cc854333752bc9c16413.exe	31
PID 1924 wrote to memory of 2792	1924	3988c73d0fe8cc854333752bc9c16413.exe	31
PID 1924 wrote to memory of 2792	1924	3988c73d0fe8cc854333752bc9c16413.exe	31
PID 1924 wrote to memory of 3056	1924	3988c73d0fe8cc854333752bc9c16413.exe	30
PID 1924 wrote to memory of 3056	1924	3988c73d0fe8cc854333752bc9c16413.exe	30
PID 1924 wrote to memory of 3056	1924	3988c73d0fe8cc854333752bc9c16413.exe	30
PID 1924 wrote to memory of 3056	1924	3988c73d0fe8cc854333752bc9c16413.exe	30
PID 1924 wrote to memory of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29
PID 1924 wrote to memory of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29
PID 1924 wrote to memory of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29
PID 1924 wrote to memory of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29
PID 1924 wrote to memory of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29
PID 1924 wrote to memory of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29
PID 1924 wrote to memory of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29
PID 1924 wrote to memory of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29
PID 1924 wrote to memory of 2728	1924	3988c73d0fe8cc854333752bc9c16413.exe	29
PID 2728 wrote to memory of 2612	2728	3988c73d0fe8cc854333752bc9c16413.exe	33
PID 2728 wrote to memory of 2612	2728	3988c73d0fe8cc854333752bc9c16413.exe	33
PID 2728 wrote to memory of 2612	2728	3988c73d0fe8cc854333752bc9c16413.exe	33
PID 2728 wrote to memory of 2612	2728	3988c73d0fe8cc854333752bc9c16413.exe	33

C:\Users\Admin\AppData\Local\Temp\3988c73d0fe8cc854333752bc9c16413.exe
"C:\Users\Admin\AppData\Local\Temp\3988c73d0fe8cc854333752bc9c16413.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\3988c73d0fe8cc854333752bc9c16413.exe
  "{path}"
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\3988c73d0fe8cc854333752bc9c16413.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1476
    3⤵
    - Program crash
    PID:2612
- C:\Users\Admin\AppData\Local\Temp\3988c73d0fe8cc854333752bc9c16413.exe
  "{path}"
  2⤵
  PID:3056
- C:\Users\Admin\AppData\Local\Temp\3988c73d0fe8cc854333752bc9c16413.exe
  "{path}"
  2⤵
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\3988c73d0fe8cc854333752bc9c16413.exe
  "{path}"
  2⤵
  PID:2784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1924-0-0x00000000002E0000-0x0000000000370000-memory.dmp

Filesize
576KB

Download
memory/1924-1-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/1924-2-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/1924-3-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/1924-4-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/1924-5-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/1924-6-0x0000000007C00000-0x0000000007C74000-memory.dmp

Filesize
464KB

Download
memory/1924-7-0x00000000041E0000-0x000000000420A000-memory.dmp

Filesize
168KB

Download
memory/1924-17-0x0000000074270000-0x000000007495E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-20-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-21-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/2728-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2728-22-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-23-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download