snakekeylogger | fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c

Analysis

max time kernel
122s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-04-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
Size

1.2MB
MD5

8277ca0e3f3c1dd755870b6a166e1276
SHA1

fbd7818d3c9be9781e4da7724cab928cc3c25555
SHA256

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c
SHA512

100c9d45e54fe57032f0d1ad3111ffc5b0e539ec248baefe4eccb261ef76a42ccdce2f81bb9ab8a39fcf58797dabc5c54804bbfd0a44a65ee2612f9277c708a9
SSDEEP

24576:ZqDEvCTbMWu7rQYlBQcBiT6rprG8azqNcenjPZIeoZulEFJs:ZTvC/MTQYxsWR7azsxISlI

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2416-50-0x0000000001F90000-0x0000000001FCA000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-52-0x00000000020E0000-0x0000000002118000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-53-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-54-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-56-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-58-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-60-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-62-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-64-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-66-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-68-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-70-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-74-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-80-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-82-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-86-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-88-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-92-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-96-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-100-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-102-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-104-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-108-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-112-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-110-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-106-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-98-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-94-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-90-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-84-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-78-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-76-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-72-0x00000000020E0000-0x0000000002113000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-641-0x0000000004B30000-0x0000000004B70000-memory.dmp	family_snakekeylogger
behavioral1/memory/2416-646-0x0000000004B30000-0x0000000004B70000-memory.dmp	family_snakekeylogger

Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 2 IoCs

Processes:

name.exename.exe

pid process

2736 name.exe
2668 name.exe
Loads dropped DLL 2 IoCs

Processes:

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exename.exe

pid process

2876 fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
2736 name.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
2736	name.exe
2668	name.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

name.exe

description pid process target process

PID 2668 set thread context of 2416 2668 name.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2416 RegSvcs.exe
2416 RegSvcs.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

name.exename.exe

pid process

2736 name.exe
2668 name.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2416 RegSvcs.exe

description	pid	process	target process
PID 2668 set thread context of 2416	2668	name.exe	RegSvcs.exe

pid	process
2416	RegSvcs.exe
2416	RegSvcs.exe

pid	process
2736	name.exe
2668	name.exe

description	pid	process
Token: SeDebugPrivilege	2416	RegSvcs.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exename.exename.exe

pid	process
2876	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
2876	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
2736	name.exe
2736	name.exe
2736	name.exe
2668	name.exe
2668	name.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exename.exename.exe

pid	process
2876	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
2876	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
2736	name.exe
2736	name.exe
2736	name.exe
2668	name.exe
2668	name.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exename.exename.exe

description	pid	process	target process
PID 2876 wrote to memory of 2736	2876	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe	name.exe
PID 2876 wrote to memory of 2736	2876	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe	name.exe
PID 2876 wrote to memory of 2736	2876	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe	name.exe
PID 2876 wrote to memory of 2736	2876	fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe	name.exe
PID 2736 wrote to memory of 2652	2736	name.exe	RegSvcs.exe
PID 2736 wrote to memory of 2652	2736	name.exe	RegSvcs.exe
PID 2736 wrote to memory of 2652	2736	name.exe	RegSvcs.exe
PID 2736 wrote to memory of 2652	2736	name.exe	RegSvcs.exe
PID 2736 wrote to memory of 2652	2736	name.exe	RegSvcs.exe
PID 2736 wrote to memory of 2652	2736	name.exe	RegSvcs.exe
PID 2736 wrote to memory of 2652	2736	name.exe	RegSvcs.exe
PID 2736 wrote to memory of 2668	2736	name.exe	name.exe
PID 2736 wrote to memory of 2668	2736	name.exe	name.exe
PID 2736 wrote to memory of 2668	2736	name.exe	name.exe
PID 2736 wrote to memory of 2668	2736	name.exe	name.exe
PID 2668 wrote to memory of 2416	2668	name.exe	RegSvcs.exe
PID 2668 wrote to memory of 2416	2668	name.exe	RegSvcs.exe
PID 2668 wrote to memory of 2416	2668	name.exe	RegSvcs.exe
PID 2668 wrote to memory of 2416	2668	name.exe	RegSvcs.exe
PID 2668 wrote to memory of 2416	2668	name.exe	RegSvcs.exe
PID 2668 wrote to memory of 2416	2668	name.exe	RegSvcs.exe
PID 2668 wrote to memory of 2416	2668	name.exe	RegSvcs.exe
PID 2668 wrote to memory of 2416	2668	name.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe
"C:\Users\Admin\AppData\Local\Temp\fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\fa68e5958fbbc8a96dfddaa28cce6dae0fc52905571b55731f07464e4642627c.exe"
    3⤵
    PID:2652
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\directory\name.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut69F9.tmp

Filesize
216KB

MD5
e97eab071e774a80a2bc2ee42ea311dd

SHA1
2f62cc4105ff28c2719eae0d1fa0c7cd1b5cb2f0

SHA256
825d1ec06dda3ba8f85b255ab0a1ee4f6db6acd29d973b41c4c03491f17bcd5b

SHA512
6d31a696f081434566f36ce71ae14fe73f8761ac3075808238f8c41a81079e4c6aa65ef82ba84176a4fcdde8c37b9d8dba4748be2a675df5ba0c929c7b4409b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6A0A.tmp

Filesize
9KB

MD5
63345d634bdb22bf18e3dbd6783674b3

SHA1
f101d4488e54e463b13b4557629aaf5d791ccc01

SHA256
995e9d56313f8838b209a60c9f48002fd1ce918e793b62ec0777922d89436c25

SHA512
3c732704be29e7f0c48c7726ebef57b46ada0ec1ee7df065fec9870f5f002d425654d0e1a212ee334203f1339fd715ad7010cff95b1b9e5c06732d8e9db56a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bleacher

Filesize
224KB

MD5
c2dff05bf7793790a14e5832ab590cbf

SHA1
a05b6e7ad93920c4602d985994746481ffe4aa0e

SHA256
8cbceec25617738ab012aecb7d974142e3ed9a53dc1481fc7a13ab80540addc4

SHA512
272e0fd15b903ad5d4b3b1efd0978e89569f3aaafb65c14185aa5782cf83232a96b8e3b60871a79ca4b8f6158e5b512bf2380ff458ec011232d569caae37a8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\phagocytosed

Filesize
29KB

MD5
833eadf709da7bc0734bd2304955edb0

SHA1
415f79b3a5075d14ff2b2c749c76f6cd29e7041f

SHA256
167beefd2bce61df22b374831b758d120b4af3243026773666d1e2f729ab0a2d

SHA512
b26b9ebabf255ed06642a3109f6c11c49d506deb8896a40aaa9708a48ab7a7c49b9f89172edd1d651bc4866313e0413c0f00779ba0ef81fed9f3e221da412fb9

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
107.2MB

MD5
b37d6d446b43b1740d105293f1250a60

SHA1
67e09b6a174c12b8dd655aa196e591d280a8e56d

SHA256
83ccb0228186c4eff28bac78e138f5211102764f2a6307be9eb93688c53e6bdf

SHA512
8f256fbc939470a2437e47731a398e73656c7332ac3091bac4548b17d60b0853bb0ca5797322d264dea31a9babfd6adb48fbc61779d24f029c437b133940978e

Download Submit
memory/2416-80-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-646-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2416-47-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-48-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-49-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2416-50-0x0000000001F90000-0x0000000001FCA000-memory.dmp

Filesize
232KB

Download
memory/2416-51-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2416-52-0x00000000020E0000-0x0000000002118000-memory.dmp

Filesize
224KB

Download
memory/2416-53-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-54-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-56-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-58-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-60-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-62-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-64-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-66-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-88-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-70-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-74-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-82-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-86-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-96-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-46-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-68-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-100-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-102-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-104-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-108-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-112-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-110-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-106-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-98-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-94-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-90-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-84-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-78-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-76-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-72-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2416-641-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2416-642-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-643-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2416-644-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2416-645-0x0000000004B30000-0x0000000004B70000-memory.dmp

Filesize
256KB

Download
memory/2416-92-0x00000000020E0000-0x0000000002113000-memory.dmp

Filesize
204KB

Download
memory/2876-10-0x0000000000160000-0x0000000000164000-memory.dmp

Filesize
16KB

Download