snakekeylogger | ffccc74b2625161d73ba369bdd931438ff7d4de8ff092423541fce4b818c99b3

General

Target

7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
Size

333KB
MD5

b9d77c2410b5808b0e703395bb2907b7
SHA1

32e61029b0c3c25c56d5862068a3410a30a7670f
SHA256

7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04
SHA512

c9c9110c22efd1c246f289396cc00c2e2cccef97e37914a73430fa08b7ea6e8b94b61c602ea82fde28e0e956894c01fbc44d9c105902684ac5b4b83bb3388614
SSDEEP

6144:mTyLMh4wMzywrWIq/2K7SBBMIARmCmwOE7bjVPJcfsduGAnx:LLMSewr9hBSRmp6BPJU7GAx

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

C2

http://varders.kozow.com:8081

http://aborters.duckdns.org:8081

http://anotherarmy.dns.army:8081

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2536-8-0x0000000000400000-0x000000000041C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2536-9-0x0000000000400000-0x000000000041C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2536-12-0x0000000000400000-0x000000000041C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2536-16-0x0000000000400000-0x000000000041C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2536-14-0x0000000000400000-0x000000000041C000-memory.dmp	family_snakekeylogger
behavioral1/memory/2536-19-0x0000000002130000-0x0000000002170000-memory.dmp	family_snakekeylogger

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1696 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

pid	process
1696	cmd.exe

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe

description	pid	process	target process
PID 2132 set thread context of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe

pid process

2536 7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe

description pid process

Token: SeDebugPrivilege 2536 7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe

pid	process
2536	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe

description	pid	process
Token: SeDebugPrivilege	2536	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.execmd.exe

description	pid	process	target process
PID 2132 wrote to memory of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
PID 2132 wrote to memory of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
PID 2132 wrote to memory of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
PID 2132 wrote to memory of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
PID 2132 wrote to memory of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
PID 2132 wrote to memory of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
PID 2132 wrote to memory of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
PID 2132 wrote to memory of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
PID 2132 wrote to memory of 2536	2132	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
PID 2536 wrote to memory of 1696	2536	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	cmd.exe
PID 2536 wrote to memory of 1696	2536	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	cmd.exe
PID 2536 wrote to memory of 1696	2536	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	cmd.exe
PID 2536 wrote to memory of 1696	2536	7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe	cmd.exe
PID 1696 wrote to memory of 1844	1696	cmd.exe	choice.exe
PID 1696 wrote to memory of 1844	1696	cmd.exe	choice.exe
PID 1696 wrote to memory of 1844	1696	cmd.exe	choice.exe
PID 1696 wrote to memory of 1844	1696	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
"C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe
"C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\7161d933e8ce30fc8824cb3532294905ca0582760a306254ad03318619519c04.exe"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2132-0-0x0000000000C20000-0x0000000000C7A000-memory.dmp

Filesize
360KB

Download
memory/2132-1-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-3-0x0000000002170000-0x00000000021B0000-memory.dmp

Filesize
256KB

Download
memory/2132-2-0x0000000000B80000-0x0000000000BCA000-memory.dmp

Filesize
296KB

Download
memory/2132-4-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2132-17-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-9-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2536-8-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2536-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2536-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2536-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2536-16-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2536-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2536-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2536-18-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-19-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2536-20-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-21-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2536-22-0x0000000074090000-0x000000007477E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads