snakekeylogger | 613308a9ef0289f190c7f9ba6dac4209a93fcbda05d893716a6b40e6167102fd

Resubmissions

11/06/2024, 12:53

11/06/2024, 12:27

max time kernel
19s
max time network
28s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 12:53

Target

CTM USD28600.exe
Size

331KB
MD5

d5fc299eb2708903f3132b09af1ebdbb
SHA1

003efab8f439255094d2b8c63e096682509afb4f
SHA256

613308a9ef0289f190c7f9ba6dac4209a93fcbda05d893716a6b40e6167102fd
SHA512

e8577a48ffee301f2eebc13e2b784d65791dc477d1ff2f0fb761cc0a8d999eef024e8c37b74d070de49fb4538b32227e594e446c19ed4dde85e2f1af29326f20
SSDEEP

6144:ju9K5wR27SQn21/bFSj85xl/B2XiYVDc6q40YBgjMRbtvs:ju9K5d7SA2jS0xviiYSfwM

Score

10^/10

Family

snakekeylogger

Credentials

http://103.130.147.85

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/1804-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1804-16-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1804-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1804-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/1804-7-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 1804	2460	CTM USD28600.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1804	CTM USD28600.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	CTM USD28600.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1804	2460	CTM USD28600.exe	28
PID 2460 wrote to memory of 1804	2460	CTM USD28600.exe	28
PID 2460 wrote to memory of 1804	2460	CTM USD28600.exe	28
PID 2460 wrote to memory of 1804	2460	CTM USD28600.exe	28
PID 2460 wrote to memory of 1804	2460	CTM USD28600.exe	28
PID 2460 wrote to memory of 1804	2460	CTM USD28600.exe	28
PID 2460 wrote to memory of 1804	2460	CTM USD28600.exe	28
PID 2460 wrote to memory of 1804	2460	CTM USD28600.exe	28
PID 2460 wrote to memory of 1804	2460	CTM USD28600.exe	28

memory/1804-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1804-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1804-18-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1804-17-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/1804-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1804-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1804-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1804-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1804-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1804-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2460-1-0x00000000010A0000-0x00000000010FA000-memory.dmp

Filesize
360KB

Download
memory/2460-4-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/2460-0-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/2460-3-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-2-0x0000000000720000-0x0000000000774000-memory.dmp

Filesize
336KB

Download
memory/2460-19-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download