snakekeylogger | fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c

Analysis

max time kernel
117s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
Size

1.2MB
MD5

8277ca0e3f3c1dd755870b6a166e1276
SHA1

fbd7818d3c9be9781e4da7724cab928cc3c25555
SHA256

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c
SHA512

100c9d45e54fe57032f0d1ad3111ffc5b0e539ec248baefe4eccb261ef76a42ccdce2f81bb9ab8a39fcf58797dabc5c54804bbfd0a44a65ee2612f9277c708a9
SSDEEP

24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8azqNcenjPZIeoZulEFJs:ZTvC/MTQYxsWR7azsxISlI

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 36 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2908-36-0x0000000000B50000-0x0000000000B8A000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-37-0x0000000004BD0000-0x0000000004C10000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-38-0x0000000000BD0000-0x0000000000C08000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-39-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-40-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-42-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-44-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-46-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-48-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-50-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-52-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-54-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-56-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-58-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-60-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-62-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-64-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-66-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-68-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-70-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-72-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-74-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-76-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-78-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-80-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-82-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-84-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-86-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-88-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-90-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-92-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-94-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-96-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-98-0x0000000000BD0000-0x0000000000C03000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-627-0x0000000004BD0000-0x0000000004C10000-memory.dmp	family_snakekeylogger
behavioral1/memory/2908-631-0x0000000004BD0000-0x0000000004C10000-memory.dmp	family_snakekeylogger

Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 1 IoCs

Processes:

name.exe

pid process

2580 name.exe
Loads dropped DLL 1 IoCs

Processes:

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe

pid process

2160 fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
2580	name.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

name.exe

description pid process target process

PID 2580 set thread context of 2908 2580 name.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2908 RegSvcs.exe
2908 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

name.exe

pid process

2580 name.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2908 RegSvcs.exe

description	pid	process	target process
PID 2580 set thread context of 2908	2580	name.exe	RegSvcs.exe

pid	process
2908	RegSvcs.exe
2908	RegSvcs.exe

pid	process
2580	name.exe

description	pid	process
Token: SeDebugPrivilege	2908	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exename.exe

pid	process
2160	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
2160	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
2580	name.exe
2580	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exename.exe

pid	process
2160	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
2160	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
2580	name.exe
2580	name.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exename.exe

description	pid	process	target process
PID 2160 wrote to memory of 2580	2160	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe	name.exe
PID 2160 wrote to memory of 2580	2160	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe	name.exe
PID 2160 wrote to memory of 2580	2160	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe	name.exe
PID 2160 wrote to memory of 2580	2160	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe	name.exe
PID 2580 wrote to memory of 2908	2580	name.exe	RegSvcs.exe
PID 2580 wrote to memory of 2908	2580	name.exe	RegSvcs.exe
PID 2580 wrote to memory of 2908	2580	name.exe	RegSvcs.exe
PID 2580 wrote to memory of 2908	2580	name.exe	RegSvcs.exe
PID 2580 wrote to memory of 2908	2580	name.exe	RegSvcs.exe
PID 2580 wrote to memory of 2908	2580	name.exe	RegSvcs.exe
PID 2580 wrote to memory of 2908	2580	name.exe	RegSvcs.exe
PID 2580 wrote to memory of 2908	2580	name.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
"C:\Users\Admin\AppData\Local\Temp\fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bleacher

Filesize
224KB

MD5
c2dff05bf7793790a14e5832ab590cbf

SHA1
a05b6e7ad93920c4602d985994746481ffe4aa0e

SHA256
8cbceec25617738ab012aecb7d974142e3ed9a53dc1481fc7a13ab80540addc4

SHA512
272e0fd15b903ad5d4b3b1efd0978e89569f3aaafb65c14185aa5782cf83232a96b8e3b60871a79ca4b8f6158e5b512bf2380ff458ec011232d569caae37a8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\phagocytosed

Filesize
29KB

MD5
833eadf709da7bc0734bd2304955edb0

SHA1
415f79b3a5075d14ff2b2c749c76f6cd29e7041f

SHA256
167beefd2bce61df22b374831b758d120b4af3243026773666d1e2f729ab0a2d

SHA512
b26b9ebabf255ed06642a3109f6c11c49d506deb8896a40aaa9708a48ab7a7c49b9f89172edd1d651bc4866313e0413c0f00779ba0ef81fed9f3e221da412fb9

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
105.2MB

MD5
a17e0455ded0ee2fe5d38fff1eb3eea3

SHA1
91f1dcf2775fec04b96667ca7c29e6a438087e7d

SHA256
80c2e9891f6dcbc1c5ed0c6d05160b465a42f0e1073b595580d85500359c955a

SHA512
0b2329f293ea1841b25946e8cc50a2fa9f8bce0a74d5abcc23997ca1187819827f4d874a9fb0380dfc06cba720b6b1138595cfc139e8d8c8f978e4560bc1df0b

Download Submit
memory/2160-10-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/2908-62-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-34-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-33-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-64-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-35-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2908-36-0x0000000000B50000-0x0000000000B8A000-memory.dmp

Filesize
232KB

Download
memory/2908-37-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2908-38-0x0000000000BD0000-0x0000000000C08000-memory.dmp

Filesize
224KB

Download
memory/2908-39-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-40-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-30-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-44-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-66-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-48-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-50-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-52-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-54-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-56-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-58-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-60-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-42-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-46-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-68-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-70-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-72-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-74-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-76-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-78-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-80-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-82-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-84-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-86-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-88-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-90-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-92-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-94-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-96-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-98-0x0000000000BD0000-0x0000000000C03000-memory.dmp

Filesize
204KB

Download
memory/2908-627-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2908-628-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2908-629-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2908-630-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2908-631-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download