snakekeylogger | b04c992fb893695fad2aa827754bd6cae34eb3e70a2fd00e4f2e884e73352026

General

Target

$PLUGINSDIR/gstrsy.dll
Size

20KB
MD5

56168ae8fc145b349d57533a6575a072
SHA1

1e21b1fa3bf64bea8e34ef780730dd63d281c43b
SHA256

22e58e7c50d06d59c142110e71515df2f901d5d8361ce065b05aa65e774bbea6
SHA512

d1a6bd6af071b79f440c90447ee3817a86d6e17a284e842ba9f804850ae3d46eb4395fc3bcd86a40c7a03c2be2a11a88d0b0b4a36f3748d74a61424539f220cd
SSDEEP

384:t+guiCzcXBWIOrJ0mDWWV//9TK2YV3Qd5yaIIbIJi04o+yQUR3ndeqox4:QguiCzOX6yWNFvYV3QHy2cJ94SQ83deJ

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2768-2-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral3/memory/2768-4-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral3/memory/2768-6-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

5 2768 rundll32.exe
7 2768 rundll32.exe
9 2768 rundll32.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
6 freegeoip.app
7 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2916 set thread context of 2768 2916 rundll32.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

2768 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2768 rundll32.exe

flow	pid	process
5	2768	rundll32.exe
7	2768	rundll32.exe
9	2768	rundll32.exe

flow	ioc
4	checkip.dyndns.org
6	freegeoip.app
7	freegeoip.app

description	pid	process	target process
PID 2916 set thread context of 2768	2916	rundll32.exe	rundll32.exe

pid	process
2768	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2768	rundll32.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2920 wrote to memory of 2916	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2916	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2916	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2916	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2916	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2916	2920	rundll32.exe	rundll32.exe
PID 2920 wrote to memory of 2916	2920	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2916 wrote to memory of 2768	2916	rundll32.exe	rundll32.exe
PID 2768 wrote to memory of 2436	2768	rundll32.exe	dw20.exe
PID 2768 wrote to memory of 2436	2768	rundll32.exe	dw20.exe
PID 2768 wrote to memory of 2436	2768	rundll32.exe	dw20.exe
PID 2768 wrote to memory of 2436	2768	rundll32.exe	dw20.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gstrsy.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gstrsy.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gstrsy.dll,#1
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1460
      4⤵
      PID:2436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-11-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2436-13-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2768-2-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2768-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2768-6-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2768-8-0x0000000073E30000-0x00000000743DB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-9-0x0000000073E30000-0x00000000743DB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-10-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2768-12-0x0000000073E30000-0x00000000743DB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-1-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/2916-0-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/2916-7-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads