snakekeylogger | 9e4e77d4f212e5aad71c2a0409c801b64e89b9f92a0ce4e2903b587bc5a70485

General

Target

e22f1bbf54fbbd8d0135772dac71ac13.exe
Size

886KB
MD5

e22f1bbf54fbbd8d0135772dac71ac13
SHA1

b44ed322c53cb34c9eb7988c65be76eb7c78f089
SHA256

9e4e77d4f212e5aad71c2a0409c801b64e89b9f92a0ce4e2903b587bc5a70485
SHA512

2e577425a1d81e682777ae7b8c0dd9718923f6c0b2367a0096b7aa803bfb21eb02a4ded17600f6f9767b5ab853ddff56ebd8b39dd0ab8da341257d2e50aa3d58
SSDEEP

24576:14njPTfWh2y0ukcncNmGgvYTDn2KSQjHT5GA2ekyFh3C0cq:mmGhDneeQHMh3C0cq

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.vlccwellness.com
Port:
587
Username:
[email protected]
Password:
taiyab31121984
Email To:
[email protected]

C2

https://api.telegram.org/bot1865023387:AAFbWPISsv486p_o9A4CIDR1FBfAq1W7nUc/sendMessage?chat_id=1788371409

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2312-22-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2312-23-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2312-26-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2312-30-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2312-28-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
8 freegeoip.app
9 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

e22f1bbf54fbbd8d0135772dac71ac13.exe

description pid process target process

PID 2208 set thread context of 2312 2208 e22f1bbf54fbbd8d0135772dac71ac13.exe e22f1bbf54fbbd8d0135772dac71ac13.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1388 2312 WerFault.exe e22f1bbf54fbbd8d0135772dac71ac13.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2952 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e22f1bbf54fbbd8d0135772dac71ac13.exepowershell.exepowershell.exepowershell.exe

pid process

2312 e22f1bbf54fbbd8d0135772dac71ac13.exe
2404 powershell.exe
1668 powershell.exe
2444 powershell.exe

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

description	pid	process	target process
PID 2208 set thread context of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe

pid	pid_target	process	target process
1388	2312	WerFault.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe

pid	process
2952	schtasks.exe

pid	process
2312	e22f1bbf54fbbd8d0135772dac71ac13.exe
2404	powershell.exe
1668	powershell.exe
2444	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e22f1bbf54fbbd8d0135772dac71ac13.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2312	e22f1bbf54fbbd8d0135772dac71ac13.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

e22f1bbf54fbbd8d0135772dac71ac13.exee22f1bbf54fbbd8d0135772dac71ac13.exe

description	pid	process	target process
PID 2208 wrote to memory of 2404	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 2404	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 2404	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 2404	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 1668	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 1668	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 1668	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 1668	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 2952	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	schtasks.exe
PID 2208 wrote to memory of 2952	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	schtasks.exe
PID 2208 wrote to memory of 2952	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	schtasks.exe
PID 2208 wrote to memory of 2952	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	schtasks.exe
PID 2208 wrote to memory of 2444	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 2444	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 2444	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 2444	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	powershell.exe
PID 2208 wrote to memory of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe
PID 2208 wrote to memory of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe
PID 2208 wrote to memory of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe
PID 2208 wrote to memory of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe
PID 2208 wrote to memory of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe
PID 2208 wrote to memory of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe
PID 2208 wrote to memory of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe
PID 2208 wrote to memory of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe
PID 2208 wrote to memory of 2312	2208	e22f1bbf54fbbd8d0135772dac71ac13.exe	e22f1bbf54fbbd8d0135772dac71ac13.exe
PID 2312 wrote to memory of 1388	2312	e22f1bbf54fbbd8d0135772dac71ac13.exe	WerFault.exe
PID 2312 wrote to memory of 1388	2312	e22f1bbf54fbbd8d0135772dac71ac13.exe	WerFault.exe
PID 2312 wrote to memory of 1388	2312	e22f1bbf54fbbd8d0135772dac71ac13.exe	WerFault.exe
PID 2312 wrote to memory of 1388	2312	e22f1bbf54fbbd8d0135772dac71ac13.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13.exe
"C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NEQcsxsAehXEc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NEQcsxsAehXEc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF6E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NEQcsxsAehXEc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13.exe
  "C:\Users\Admin\AppData\Local\Temp\e22f1bbf54fbbd8d0135772dac71ac13.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 1620
    3⤵
    - Program crash
    PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEF6E.tmp

Filesize
1KB

MD5
775690aea9515a8954084bf1e540d6a8

SHA1
9d753536b410f25c182dbb80111bff73cf86945f

SHA256
74cef3a9d87c0353225a73eb3b686a5673104654e5294d7d9b19a2a9789af237

SHA512
9f6772fa2756b51bd4e7b7feaff974db75940cec7fcc078301c1275d9c50fce8722783311dde20367e213c64669931187c2e44b4a82c407278ed778ca9747bdd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a7ba2c79c84871ffd5a679cb243b4969

SHA1
cc22cfa255dcb54c8ae97f286ab9dec1fc7fac7c

SHA256
c938ebfaeb6756b917f017178eff5edc88e8cf2cb827ada6ae34cac9f67d04e1

SHA512
cba491b9cb5e001dc7ca9b2ca403d92e95df858cca854176c141206c9984ec4c4671be8246d0346c6391c081bcda98d0efb3351a0e4930b484ad9de459697665

Download Submit
memory/1668-51-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-41-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-40-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/1668-38-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download
memory/2208-31-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-1-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2208-6-0x0000000007A00000-0x0000000007A8E000-memory.dmp

Filesize
568KB

Download
memory/2208-5-0x0000000007120000-0x0000000007160000-memory.dmp

Filesize
256KB

Download
memory/2208-0-0x0000000001070000-0x0000000001154000-memory.dmp

Filesize
912KB

Download
memory/2208-2-0x0000000007120000-0x0000000007160000-memory.dmp

Filesize
256KB

Download
memory/2208-3-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/2208-7-0x0000000004980000-0x00000000049A6000-memory.dmp

Filesize
152KB

Download
memory/2208-4-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2312-30-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2312-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2312-43-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-54-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/2312-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2312-23-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2312-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2312-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2312-53-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2404-39-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-48-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2404-49-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2404-50-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download
memory/2404-42-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2404-37-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download
memory/2444-45-0x0000000002520000-0x0000000002560000-memory.dmp

Filesize
256KB

Download
memory/2444-46-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download
memory/2444-47-0x0000000002520000-0x0000000002560000-memory.dmp

Filesize
256KB

Download
memory/2444-52-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download
memory/2444-44-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads