snakekeylogger | c26cd8dd1ff185994225fd907edc2aea01872f1b17e021c23afb76e553bb85a4

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17/04/2024, 14:56

Target

1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe
Size

525KB
MD5

3138b63ef0d439ebc2e631452307c089
SHA1

176b629248c486842e03a897192dbc6043a57fe5
SHA256

1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837
SHA512

f83dcb33c5777d9efc9100705761786a7d1dada83331866a95fbd3042357f7d7b87aa36cc1dc7fcbe8e9af4118bdd1cd5e2734366c1cc7d1c85b95be8c6767c0
SSDEEP

12288:/ytros3iYd2DGhjsTJWJHJ+HgyJsMgqFyaHs:/WosNDdRJHcHZJt

Score

10^/10

Family

snakekeylogger

http://varders.kozow.com:8081

http://aborters.duckdns.org:8081

http://anotherarmy.dns.army:8081

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/4048-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 4048	2728	1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3924	4048	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4048	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4048	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4048	2728	1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe	88
PID 2728 wrote to memory of 4048	2728	1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe	88
PID 2728 wrote to memory of 4048	2728	1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe	88
PID 2728 wrote to memory of 4048	2728	1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe	88
PID 2728 wrote to memory of 4048	2728	1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe	88
PID 2728 wrote to memory of 4048	2728	1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe	88
PID 2728 wrote to memory of 4048	2728	1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe	88
PID 2728 wrote to memory of 4048	2728	1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe	88

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4048 -ip 4048
1⤵
PID:4944

memory/2728-6-0x0000000005410000-0x00000000054AC000-memory.dmp

Filesize
624KB

Download
memory/2728-1-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2728-3-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/2728-2-0x0000000002B70000-0x0000000002BC4000-memory.dmp

Filesize
336KB

Download
memory/2728-4-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/2728-5-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/2728-0-0x0000000000750000-0x00000000007DA000-memory.dmp

Filesize
552KB

Download
memory/2728-7-0x0000000005260000-0x0000000005268000-memory.dmp

Filesize
32KB

Download
memory/2728-10-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/4048-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4048-11-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/4048-12-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/4048-13-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download