snakekeylogger | 668e30794599e3cc195cd9cb6a1110ecdf5f8c947b441132c5044b5d3b41c05d

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe
Size

129KB
MD5

ccfdbf07643aed4c333fad91828e4a80
SHA1

ccb1efa6c2ef21eb912bfdabb9a6bccb374dc248
SHA256

461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e
SHA512

c9bd1a9ac30e941eae5acf39cff6c6b0ac8a95e7bd0c656496851f15fcce345f4cf0371df6aad709c4f72845ad496291a70d9364572abdd8da0d7444f385b6c7
SSDEEP

3072:jeHgpwPUTi/GIRhvudmxG9OCAXGtsddlQbgkVcsQvwvxLob3mDbY:VpmNZMm7Lqbfcb30b

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.stpgig.com
Port:
587
Username:
info@stpgig.com
Password:
Stpgig#Login21

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2112-0-0x000000013F8C0000-0x000000013F8E4000-memory.dmp	family_snakekeylogger

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2168 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.dyndns.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe

pid process

2112 461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe

description pid process

Token: SeDebugPrivilege 2112 461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe

pid	process
2168	cmd.exe

flow	ioc
2	checkip.dyndns.org

pid	process
2112	461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe

description	pid	process
Token: SeDebugPrivilege	2112	461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.execmd.exe

description	pid	process	target process
PID 2112 wrote to memory of 2168	2112	461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe	cmd.exe
PID 2112 wrote to memory of 2168	2112	461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe	cmd.exe
PID 2112 wrote to memory of 2168	2112	461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe	cmd.exe
PID 2168 wrote to memory of 2272	2168	cmd.exe	choice.exe
PID 2168 wrote to memory of 2272	2168	cmd.exe	choice.exe
PID 2168 wrote to memory of 2272	2168	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe
"C:\Users\Admin\AppData\Local\Temp\461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\461bcd6658a32970b9bd12d978229b8d3c8c1f4bdf00688db287b2b7ce6c880e.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-0-0x000000013F8C0000-0x000000013F8E4000-memory.dmp

Filesize
144KB

Download
memory/2112-1-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-2-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2112-3-0x000007FEF54D0000-0x000007FEF5EBC000-memory.dmp

Filesize
9.9MB

Download