snakekeylogger | 1039602fc744770fbf900b6cb8f66ca8d751faf9e072130e5b4035caf046511a

General

Target

RFQ-110146.exe
Size

844KB
MD5

42e9e8bca35f196255046a9640873a31
SHA1

ac5449f53111107fc6d73e2fcf7125dfd1ea94fc
SHA256

915e92b462c184dbe68f5c21fb0843e802969b7a3f20d30095e485e892c7a818
SHA512

e290ce98b223ef791236538dec71a12e8448b5aeb54b4bcdbc16114fda279a7cdd422017846e2b934ab8ed80ec9e025ebe5b4c091c30a41e9441a7bcb22a5cb3
SSDEEP

12288:Y6fftwLUW/hy7iS/d348nf9dgtOn16eqfg4OAlE+qmUu3AdqZBXRqvt0/BCh2Tne:3tup9S/d3r+8n1IjUu3A00vt0u2zK

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.cavilum.cl
Port:
587
Username:
[email protected]
Password:
Cavilum4313
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

resource	yara_rule
behavioral1/memory/2464-10-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2464-11-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2464-14-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2464-16-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2464-19-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2464-21-0x0000000004980000-0x00000000049C0000-memory.dmp	family_snakekeylogger

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/2512-3-0x0000000000350000-0x0000000000362000-memory.dmp	CustAttr

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	checkip.dyndns.org
4	freegeoip.app
5	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2464	2512	RFQ-110146.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2464	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2464	RFQ-110146.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	RFQ-110146.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2464	2512	RFQ-110146.exe	30
PID 2512 wrote to memory of 2464	2512	RFQ-110146.exe	30
PID 2512 wrote to memory of 2464	2512	RFQ-110146.exe	30
PID 2512 wrote to memory of 2464	2512	RFQ-110146.exe	30
PID 2512 wrote to memory of 2464	2512	RFQ-110146.exe	30
PID 2512 wrote to memory of 2464	2512	RFQ-110146.exe	30
PID 2512 wrote to memory of 2464	2512	RFQ-110146.exe	30
PID 2512 wrote to memory of 2464	2512	RFQ-110146.exe	30
PID 2512 wrote to memory of 2464	2512	RFQ-110146.exe	30
PID 2464 wrote to memory of 2748	2464	RFQ-110146.exe	31
PID 2464 wrote to memory of 2748	2464	RFQ-110146.exe	31
PID 2464 wrote to memory of 2748	2464	RFQ-110146.exe	31
PID 2464 wrote to memory of 2748	2464	RFQ-110146.exe	31

C:\Users\Admin\AppData\Local\Temp\RFQ-110146.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-110146.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\RFQ-110146.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ-110146.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1524
    3⤵
    - Program crash
    PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2464-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-23-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2464-22-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-21-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2464-20-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2464-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2464-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2464-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2464-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2464-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2464-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2464-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2512-5-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2512-7-0x00000000008D0000-0x00000000008F4000-memory.dmp

Filesize
144KB

Download
memory/2512-6-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/2512-18-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-0-0x0000000000F10000-0x0000000000FEA000-memory.dmp

Filesize
872KB

Download
memory/2512-4-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-3-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2512-2-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/2512-1-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing