Malware Analysis Report

2025-06-16 03:50

Sample ID 240130-2ach7adhg6
Target 82b6aefc08b359173217678342f22080
SHA256 9be1467f145c688ecea5a3c8e25d870a53da1f17b3c7de248ef57123fa2b32ca
Tags
snakekeylogger keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9be1467f145c688ecea5a3c8e25d870a53da1f17b3c7de248ef57123fa2b32ca

Threat Level: Known bad

The file 82b6aefc08b359173217678342f22080 was found to be: Known bad.

Malicious Activity Summary

snakekeylogger keylogger stealer

Snake Keylogger

Snake Keylogger payload

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 22:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 22:22

Reported

2024-01-30 22:24

Platform

win7-20231215-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2964 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\SysWOW64\schtasks.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2964 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 1104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe

"C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ikzxGmHjkZst" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCBA8.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 1588

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 188.114.96.2:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp

Files

memory/2964-1-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2964-0-0x00000000012A0000-0x00000000013F6000-memory.dmp

memory/2964-2-0x0000000000D80000-0x0000000000DC0000-memory.dmp

memory/2964-3-0x00000000003C0000-0x00000000003D4000-memory.dmp

memory/2964-4-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2964-5-0x0000000000D80000-0x0000000000DC0000-memory.dmp

memory/2964-6-0x00000000011D0000-0x0000000001254000-memory.dmp

memory/2964-7-0x0000000000C30000-0x0000000000C68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCBA8.tmp

MD5 127bfc87769cb3ceaaad3d86895b1901
SHA1 6d89ca094d8d990be8a074c6c61cf84857357793
SHA256 f2fd4757cd145e96d41e2b67da9089b0ebf374d4c36cfa2dc4141ed9a6292b80
SHA512 ac976e4bff38d5dbc89e1861d1600f4c35e7e2817836a0b0f92d0647c0653091cba05db0677db0ddee3afb0cad34bbdce467232c7ba3240fe693b91e8dc0099b

memory/2624-11-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2624-13-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2624-14-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2624-15-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2624-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2624-18-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2624-20-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2624-22-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2624-23-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2964-24-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2624-25-0x0000000004980000-0x00000000049C0000-memory.dmp

memory/2624-26-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2624-27-0x0000000004980000-0x00000000049C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 22:22

Reported

2024-01-30 22:24

Platform

win10v2004-20231222-en

Max time kernel

91s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4464 set thread context of 1520 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4464 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4464 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4464 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4464 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4464 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4464 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4464 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe

"C:\Users\Admin\AppData\Local\Temp\82b6aefc08b359173217678342f22080.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ikzxGmHjkZst" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB630.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1520 -ip 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1768

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 freegeoip.app udp
US 172.67.160.84:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 84.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4464-1-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4464-0-0x0000000000630000-0x0000000000786000-memory.dmp

memory/4464-2-0x0000000005160000-0x00000000051FC000-memory.dmp

memory/4464-3-0x0000000005810000-0x0000000005DB4000-memory.dmp

memory/4464-4-0x0000000005300000-0x0000000005392000-memory.dmp

memory/4464-5-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/4464-7-0x00000000053A0000-0x00000000053F6000-memory.dmp

memory/4464-6-0x0000000005210000-0x000000000521A000-memory.dmp

memory/4464-8-0x0000000004BE0000-0x0000000004BF4000-memory.dmp

memory/4464-9-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/4464-10-0x00000000052F0000-0x0000000005300000-memory.dmp

memory/4464-11-0x0000000006600000-0x0000000006684000-memory.dmp

memory/4464-12-0x0000000006680000-0x00000000066B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB630.tmp

MD5 7a851e5aab6a4a0c52af07561e3834cd
SHA1 2f4e9b4f556f5e7be8c21d1f87e3d42a0dbe6ae8
SHA256 173d2b53c73db63c80b425af44ed66aac027586714189d6e6b95d49db752b842
SHA512 b406c157c35a096fcc3fbf4164fb0b347ab6ac946d058d45505d4a4c5ec9fc3981e00742c6ca1f7d40ce74a7ae3825be43f0cad82744b58c5b10c87a32e1a588

memory/1520-16-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4464-18-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/1520-19-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/1520-20-0x0000000005400000-0x0000000005410000-memory.dmp

memory/1520-21-0x0000000074650000-0x0000000074E00000-memory.dmp