snakekeylogger | 7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

Analysis

max time kernel
143s
max time network
215s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
Size

725KB
MD5

4b0a935fbc037ea00bf17468d4cf5b85
SHA1

169cd19c1d29bebd2c7fe5a8de25b1429f8f2aed
SHA256

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea
SHA512

0bee469d0188505772af1fd9af4a6710c201475340045b97024102a63aaba14f940e6ee36d118d338e836b4ee7ba03387001ce81724c4f4433123f5b9d83dd4f
SSDEEP

12288:w6Wq4aaE6KwyF5L0Y2D1PqL5C38Lua13KVsrOQW60Ztsmhv3:GthEVaPqL58F2rBjmB3

Score

10^/10

snakekeylogger collection keylogger stealer upx

Malware Config

Extracted

Family

snakekeylogger

https://scratchdreams.tk

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 31 IoCs

Processes:

resource	yara_rule
behavioral9/memory/1356-42-0x0000000000A00000-0x0000000000A3A000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-46-0x0000000000B60000-0x0000000000B98000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-47-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-48-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-50-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-54-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-52-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-57-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-59-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-63-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-65-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-69-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-73-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-75-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-79-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-81-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-83-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-85-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-87-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-91-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-93-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-95-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-99-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-103-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-101-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-97-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-89-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-77-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-71-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-67-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger
behavioral9/memory/1356-61-0x0000000000B60000-0x0000000000B93000-memory.dmp	family_snakekeylogger

Drops startup file 1 IoCs

Processes:

harrowment.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harrowment.vbs harrowment.exe
Executes dropped EXE 1 IoCs

Processes:

harrowment.exe

pid process

2984 harrowment.exe
Loads dropped DLL 1 IoCs

Processes:

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe

pid process

2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harrowment.vbs	harrowment.exe

pid	process
2984	harrowment.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral9/memory/2696-0-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral9/memory/2696-12-0x0000000000400000-0x0000000000518000-memory.dmp	upx
\Users\Admin\AppData\Local\Dunlop\harrowment.exe	upx
behavioral9/memory/2696-19-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral9/memory/2984-35-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral9/memory/2984-38-0x0000000000400000-0x0000000000518000-memory.dmp	upx

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org

flow	ioc
4	checkip.dyndns.org

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral9/memory/2696-12-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe
behavioral9/memory/2696-19-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe
behavioral9/memory/2984-35-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe
behavioral9/memory/2984-38-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

harrowment.exe

description pid process target process

PID 2984 set thread context of 1356 2984 harrowment.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

1356 RegSvcs.exe
1356 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

harrowment.exe

pid process

2984 harrowment.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1356 RegSvcs.exe

description	pid	process	target process
PID 2984 set thread context of 1356	2984	harrowment.exe	RegSvcs.exe

pid	process
1356	RegSvcs.exe
1356	RegSvcs.exe

pid	process
2984	harrowment.exe

description	pid	process
Token: SeDebugPrivilege	1356	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exeharrowment.exe

pid	process
2696	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
2696	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
2984	harrowment.exe
2984	harrowment.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exeharrowment.exe

pid	process
2696	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
2696	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
2984	harrowment.exe
2984	harrowment.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exeharrowment.exe

description	pid	process	target process
PID 2696 wrote to memory of 2984	2696	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe	harrowment.exe
PID 2696 wrote to memory of 2984	2696	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe	harrowment.exe
PID 2696 wrote to memory of 2984	2696	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe	harrowment.exe
PID 2696 wrote to memory of 2984	2696	0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe	harrowment.exe
PID 2984 wrote to memory of 1356	2984	harrowment.exe	RegSvcs.exe
PID 2984 wrote to memory of 1356	2984	harrowment.exe	RegSvcs.exe
PID 2984 wrote to memory of 1356	2984	harrowment.exe	RegSvcs.exe
PID 2984 wrote to memory of 1356	2984	harrowment.exe	RegSvcs.exe
PID 2984 wrote to memory of 1356	2984	harrowment.exe	RegSvcs.exe
PID 2984 wrote to memory of 1356	2984	harrowment.exe	RegSvcs.exe
PID 2984 wrote to memory of 1356	2984	harrowment.exe	RegSvcs.exe
PID 2984 wrote to memory of 1356	2984	harrowment.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
"C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Dunlop\harrowment.exe
"C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\leucoryx

Filesize
224KB

MD5
2b78e824fa3a6f57ea84ac22caf7d227

SHA1
d7c60208f467cfaeb204ccfbeaceaa31f9c599d1

SHA256
e812de2b4ebe67e85dd9eb6ec0463697a86b591ed6ee703f650e198088630400

SHA512
3e9cc6510ba5004bb3b492e735a7749c8e7424dd32446890e1a9883d704363715fdf8a855bd9081b92a96225c8292ce3522eeef5b5889633af73b1cd98795b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\poufs

Filesize
29KB

MD5
1097db4d33401c96c8c311d3f86e915e

SHA1
c7569551684b84b0a3c5ca8e64bdc4bd75452b2f

SHA256
c582dc1cc0ef4806de99dc2c9682f3f59ff42ab54c06d7f1c307cf1818cdfcb5

SHA512
3172c4601b57cad15487c69746ac79396838e5af2d1da814636277fd1b8385af7477d1add982d9e57cffd5314d3ecc0324a7428ddd15bd4e21e8d2ac6ae3ee78

Download Submit
\Users\Admin\AppData\Local\Dunlop\harrowment.exe

Filesize
108.7MB

MD5
a8601cb130036cfa9fa683c0e60766b1

SHA1
12eefda765a3d9e52d109c84c10628792c0b7a82

SHA256
422961089121aaf8f9284b424402c527cf3f36de2abae12df338e8af589c16c7

SHA512
7a44032b7e82cb70733cbb3f8f8aa90e8a57234a25e3d91b6450963b12aff20d27a98528e68664f68c32aa4663c71e4aff2cdc0964b32db076088a7be8670cc1

Download Submit
memory/1356-65-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-101-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-69-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-640-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/1356-73-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-639-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/1356-638-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/1356-637-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1356-41-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1356-43-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1356-42-0x0000000000A00000-0x0000000000A3A000-memory.dmp

Filesize
232KB

Download
memory/1356-44-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/1356-45-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/1356-46-0x0000000000B60000-0x0000000000B98000-memory.dmp

Filesize
224KB

Download
memory/1356-47-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-75-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-50-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-636-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/1356-54-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-52-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-57-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-59-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-63-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-37-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1356-61-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-67-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-48-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-79-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-81-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-83-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-85-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-87-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-91-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-93-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-95-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-99-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-103-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1356-97-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-89-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-77-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/1356-71-0x0000000000B60000-0x0000000000B93000-memory.dmp

Filesize
204KB

Download
memory/2696-12-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2696-0-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2696-56-0x00000000038B0000-0x00000000039C8000-memory.dmp

Filesize
1.1MB

Download
memory/2696-22-0x00000000038B0000-0x00000000039C8000-memory.dmp

Filesize
1.1MB

Download
memory/2696-19-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2696-11-0x0000000002470000-0x0000000002474000-memory.dmp

Filesize
16KB

Download
memory/2984-35-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/2984-38-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download