snakekeylogger | 8fe74471f7e76b21be7e677b97a65d66cecaf52ff0c343ab0a93b303ee464c0e

General

Target

$PLUGINSDIR/yhrbectux.dll
Size

30KB
MD5

96112d00de78e6a6f7c9cd3b347ddd57
SHA1

98a2f0bfd0f72c1039bac854f7b0b1b889e89104
SHA256

73202aaad90d8e0f99ba6715b0fb8e35fd20368acf996e6c795301b4a421a1d2
SHA512

af0aeb2ae5881764e320777dab092ef66fd6cfbcf0de269c2bc47c7a429517502398c9340eadc15501af5f270d5e56f4f6ae169bdcc8e87c08642241fb119825
SSDEEP

768:May1uE0bONcu+4p7Hw/pXxH8KZm5f7pZwr:MaIh0bi5+g7HexHIZw

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2152-4-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral3/memory/2152-8-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral3/memory/2152-11-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

5 2152 rundll32.exe
7 2152 rundll32.exe
9 2152 rundll32.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
6 freegeoip.app
7 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1524 set thread context of 2152 1524 rundll32.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

2152 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2152 rundll32.exe

flow	pid	process
5	2152	rundll32.exe
7	2152	rundll32.exe
9	2152	rundll32.exe

flow	ioc
4	checkip.dyndns.org
6	freegeoip.app
7	freegeoip.app

description	pid	process	target process
PID 1524 set thread context of 2152	1524	rundll32.exe	rundll32.exe

pid	process
2152	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2152	rundll32.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1556 wrote to memory of 1524	1556	rundll32.exe	rundll32.exe
PID 1556 wrote to memory of 1524	1556	rundll32.exe	rundll32.exe
PID 1556 wrote to memory of 1524	1556	rundll32.exe	rundll32.exe
PID 1556 wrote to memory of 1524	1556	rundll32.exe	rundll32.exe
PID 1556 wrote to memory of 1524	1556	rundll32.exe	rundll32.exe
PID 1556 wrote to memory of 1524	1556	rundll32.exe	rundll32.exe
PID 1556 wrote to memory of 1524	1556	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 1524 wrote to memory of 2152	1524	rundll32.exe	rundll32.exe
PID 2152 wrote to memory of 2652	2152	rundll32.exe	dw20.exe
PID 2152 wrote to memory of 2652	2152	rundll32.exe	dw20.exe
PID 2152 wrote to memory of 2652	2152	rundll32.exe	dw20.exe
PID 2152 wrote to memory of 2652	2152	rundll32.exe	dw20.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\yhrbectux.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\yhrbectux.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\yhrbectux.dll,#1
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1464
      4⤵
      PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-7-0x0000000074850000-0x0000000074857000-memory.dmp

Filesize
28KB

Download
memory/1524-1-0x0000000074850000-0x000000007485D000-memory.dmp

Filesize
52KB

Download
memory/1524-2-0x0000000074860000-0x000000007486D000-memory.dmp

Filesize
52KB

Download
memory/1524-3-0x0000000074840000-0x000000007484D000-memory.dmp

Filesize
52KB

Download
memory/1524-0-0x0000000074860000-0x000000007486D000-memory.dmp

Filesize
52KB

Download
memory/1524-6-0x0000000074860000-0x000000007486D000-memory.dmp

Filesize
52KB

Download
memory/1524-9-0x0000000074840000-0x000000007484D000-memory.dmp

Filesize
52KB

Download
memory/2152-12-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-16-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2152-11-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2152-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2152-13-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-14-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2152-15-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2152-8-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2152-17-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2152-24-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2152-19-0x0000000074020000-0x00000000745CB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-20-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2152-21-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2152-22-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2152-23-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2652-18-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads