snakekeylogger | 524bd24b076dc2580ced18f98ee98ab54d528f5fc8ffe02bdda47fa557feeb3c

General

Target

e01a751a8d6a089d25eccf34c504a5b0.exe
Size

644KB
MD5

e01a751a8d6a089d25eccf34c504a5b0
SHA1

58198c6cfa650df0609cb1dd931a59ebe6388d0f
SHA256

524bd24b076dc2580ced18f98ee98ab54d528f5fc8ffe02bdda47fa557feeb3c
SHA512

c83b57f3ae4340f74888a18a7d557157ae339934004febe871fe3df8c7245884b4038957a0487b3d85f52926b8f132284e0052e5017849c49c3103876267c7e0
SSDEEP

12288:z1/p+gczyhNSvRbBQHR4qz91hI0zSaNsvz+yuWDVId21NaI+E8tyvX6sJD37USqY:TsJDLjqb5cIX5zpwg0srHFD

Score

10^/10

snakekeylogger evasion keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
webmail.patagoniachileadventures.com
Port:
25
Username:
[email protected]
Password:
12345
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2108-9-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2108-11-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2108-15-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2108-19-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2108-17-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e01a751a8d6a089d25eccf34c504a5b0.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions e01a751a8d6a089d25eccf34c504a5b0.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e01a751a8d6a089d25eccf34c504a5b0.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools e01a751a8d6a089d25eccf34c504a5b0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	e01a751a8d6a089d25eccf34c504a5b0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	e01a751a8d6a089d25eccf34c504a5b0.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e01a751a8d6a089d25eccf34c504a5b0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e01a751a8d6a089d25eccf34c504a5b0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e01a751a8d6a089d25eccf34c504a5b0.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e01a751a8d6a089d25eccf34c504a5b0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e01a751a8d6a089d25eccf34c504a5b0.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	e01a751a8d6a089d25eccf34c504a5b0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e01a751a8d6a089d25eccf34c504a5b0.exe

description pid process target process

PID 2300 set thread context of 2108 2300 e01a751a8d6a089d25eccf34c504a5b0.exe e01a751a8d6a089d25eccf34c504a5b0.exe

description	pid	process	target process
PID 2300 set thread context of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

e01a751a8d6a089d25eccf34c504a5b0.exee01a751a8d6a089d25eccf34c504a5b0.exe

description	pid	process	target process
PID 2300 wrote to memory of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe
PID 2300 wrote to memory of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe
PID 2300 wrote to memory of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe
PID 2300 wrote to memory of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe
PID 2300 wrote to memory of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe
PID 2300 wrote to memory of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe
PID 2300 wrote to memory of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe
PID 2300 wrote to memory of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe
PID 2300 wrote to memory of 2108	2300	e01a751a8d6a089d25eccf34c504a5b0.exe	e01a751a8d6a089d25eccf34c504a5b0.exe
PID 2108 wrote to memory of 2692	2108	e01a751a8d6a089d25eccf34c504a5b0.exe	dw20.exe
PID 2108 wrote to memory of 2692	2108	e01a751a8d6a089d25eccf34c504a5b0.exe	dw20.exe
PID 2108 wrote to memory of 2692	2108	e01a751a8d6a089d25eccf34c504a5b0.exe	dw20.exe
PID 2108 wrote to memory of 2692	2108	e01a751a8d6a089d25eccf34c504a5b0.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\e01a751a8d6a089d25eccf34c504a5b0.exe
"C:\Users\Admin\AppData\Local\Temp\e01a751a8d6a089d25eccf34c504a5b0.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\e01a751a8d6a089d25eccf34c504a5b0.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 388
3⤵
PID:2692

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2108-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2108-21-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2108-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2108-23-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2108-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-5-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2108-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2108-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2108-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2108-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2300-4-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2300-1-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2300-0-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2300-2-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2300-20-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2300-3-0x0000000074C80000-0x000000007522B000-memory.dmp

Filesize
5.7MB

Download
memory/2692-22-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads