snakekeylogger | 1d02b125ee09507cbc1cfb446274c5d380f8d2d43e0083f65d3341d741eb3bbf

General

Target

$PLUGINSDIR/mqpdzmdsq.dll
Size

22KB
MD5

c49786a64061cb1ec53737946be6e6b8
SHA1

23aea486baf2da29a164342abfacc42d24c4e2f7
SHA256

167ce47c8c1ffb564b0d793f556fa109eb17ab54846e0a5cb79efee53f0a471a
SHA512

1d2c0d8243faa8783b73150ddd50aec38c32f980a9d6fd9311495a3c531fbb668b0a74e9c3fc82059ec7a8a9b09cee82c2870b93105f2ac1661eb1e1ef3d3406
SSDEEP

192:MniBZI5F6cnX8blqLJRYad+Mj1uvfY0WGZkzLuFqbsk/HxZT9TOBkjtDJoZMcxR4:MnM9lcY546kzLuFMHJOgtDJgnMS9lxW

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3296-1-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral4/memory/3296-3-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral4/memory/3296-4-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger
behavioral4/memory/3296-5-0x0000000000400000-0x0000000000457000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

21 3296 rundll32.exe
30 3296 rundll32.exe
35 3296 rundll32.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 freegeoip.app
19 checkip.dyndns.org
29 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 540 set thread context of 3296 540 rundll32.exe rundll32.exe

flow	pid	process
21	3296	rundll32.exe
30	3296	rundll32.exe
35	3296	rundll32.exe

flow	ioc
30	freegeoip.app
19	checkip.dyndns.org
29	freegeoip.app

description	pid	process	target process
PID 540 set thread context of 3296	540	rundll32.exe	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3296 rundll32.exe
3296 rundll32.exe

pid	process
3296	rundll32.exe
3296	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rundll32.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	3296	rundll32.exe
Token: SeRestorePrivilege	4756	dw20.exe
Token: SeBackupPrivilege	4756	dw20.exe
Token: SeBackupPrivilege	4756	dw20.exe
Token: SeBackupPrivilege	4756	dw20.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4588 wrote to memory of 540	4588	rundll32.exe	rundll32.exe
PID 4588 wrote to memory of 540	4588	rundll32.exe	rundll32.exe
PID 4588 wrote to memory of 540	4588	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 540 wrote to memory of 3296	540	rundll32.exe	rundll32.exe
PID 3296 wrote to memory of 4756	3296	rundll32.exe	dw20.exe
PID 3296 wrote to memory of 4756	3296	rundll32.exe	dw20.exe
PID 3296 wrote to memory of 4756	3296	rundll32.exe	dw20.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mqpdzmdsq.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mqpdzmdsq.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\mqpdzmdsq.dll,#1
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1824
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1400 --field-trial-handle=2224,i,17688331074622862378,73816879873678745,262144 --variations-seed-version /prefetch:8
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-0-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/540-2-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/3296-1-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3296-3-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3296-4-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3296-5-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3296-6-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3296-7-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3296-8-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/3296-9-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/3296-16-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads