snakekeylogger | 23af3a08fab73e826fdc8746455eb25159f79141af16b6a0ed2ce64914ac0718

General

Target

9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
Size

464KB
MD5

33b3a84329888a084a88712bbf7243a0
SHA1

8f74801de3966b0fccd22164a53e92574cce26e7
SHA256

9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e
SHA512

929e28985a7e9053fae9bb71b8e7e70599765d1111b1fe0ba5574862081f38c214ff125e8dec49ac2082891343f89a0f93af603c01d9f3a6b3f0a1326ccf6229
SSDEEP

6144:rvCIIwryDMr/hTYf3yPxAUy8HqN4DH3fA09878ktKMMsbiGx3XnUzG9ZfhRwm:rCXn4wGxJyLw3f587rMsln3f

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
instalacionestasende.com
Port:
25
Username:
[email protected]
Password:
VzX79@6v
Email To:
[email protected]

C2

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2168-9-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2168-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2168-15-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2168-18-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2168-20-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2168-22-0x0000000004B80000-0x0000000004BC0000-memory.dmp	family_snakekeylogger
behavioral1/memory/2168-38-0x0000000004B80000-0x0000000004BC0000-memory.dmp	family_snakekeylogger

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2504 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

pid	process
2504	cmd.exe

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe

description	pid	process	target process
PID 888 set thread context of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe

pid process

2168 9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe

description pid process

Token: SeDebugPrivilege 2168 9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe

pid	process
2168	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe

description	pid	process
Token: SeDebugPrivilege	2168	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.execmd.exe

description	pid	process	target process
PID 888 wrote to memory of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
PID 888 wrote to memory of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
PID 888 wrote to memory of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
PID 888 wrote to memory of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
PID 888 wrote to memory of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
PID 888 wrote to memory of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
PID 888 wrote to memory of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
PID 888 wrote to memory of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
PID 888 wrote to memory of 2168	888	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
PID 2168 wrote to memory of 2504	2168	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	cmd.exe
PID 2168 wrote to memory of 2504	2168	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	cmd.exe
PID 2168 wrote to memory of 2504	2168	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	cmd.exe
PID 2168 wrote to memory of 2504	2168	9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe	cmd.exe
PID 2504 wrote to memory of 1696	2504	cmd.exe	choice.exe
PID 2504 wrote to memory of 1696	2504	cmd.exe	choice.exe
PID 2504 wrote to memory of 1696	2504	cmd.exe	choice.exe
PID 2504 wrote to memory of 1696	2504	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
"C:\Users\Admin\AppData\Local\Temp\9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:888
- C:\Users\Admin\AppData\Local\Temp\9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe
  "C:\Users\Admin\AppData\Local\Temp\9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\9b59cf1e6991964af85280afc3c850b3e42164e2ad12a460ed80695242be568e.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-0-0x0000000001290000-0x000000000130A000-memory.dmp

Filesize
488KB

Download
memory/888-1-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/888-3-0x0000000004AF0000-0x0000000004B30000-memory.dmp

Filesize
256KB

Download
memory/888-2-0x0000000000A80000-0x0000000000AD6000-memory.dmp

Filesize
344KB

Download
memory/888-4-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/888-17-0x0000000074E50000-0x000000007553E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2168-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2168-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2168-15-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2168-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2168-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2168-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2168-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2168-21-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-22-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2168-37-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-38-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2168-39-0x0000000074DD0000-0x00000000754BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads