snakekeylogger | fb697916a6e8662f63ff4823de89e3c3b18e2d372358d75181df294742513d65

General

Target

Proforma Invoice.exe
Size

1.1MB
MD5

bc8974efe8eaf656b8a193b3de5e6cd7
SHA1

e9759e7a7babfa9b0b409cbe3b17a5a8c0263fa4
SHA256

743515ad392665594a63eb8ce2432e2234733685d4d6c275c3d076f8b52182bf
SHA512

510bec96208cc514b13bb6352e1321d5c74a8676b7931161121045c6463c33e4f7c3e6f25b30c9ce33ede8112fc37cda5995dab3cfe6c8b8c00daa6e8b9ca34f
SSDEEP

12288:eP3w+24oEsHFYV4dQKK7v4k00sIxHplqGh/xZdFB9h/JkIS//SDeiq0D5kFkFwn4:GRoEslXMhlRlh/xZ7B9hGIMSDetMJP

Score

10^/10

snakekeylogger collection keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.sydneylaptops.com.au
Port:
587
Username:
[email protected]
Password:
Ijeomam288@

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Proforma Invoice.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Proforma Invoice.exe
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Proforma Invoice.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 3420	2324	Proforma Invoice.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2304	3420	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3420	Proforma Invoice.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3420	Proforma Invoice.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 3420	2324	Proforma Invoice.exe	88
PID 2324 wrote to memory of 3420	2324	Proforma Invoice.exe	88
PID 2324 wrote to memory of 3420	2324	Proforma Invoice.exe	88
PID 2324 wrote to memory of 3420	2324	Proforma Invoice.exe	88
PID 2324 wrote to memory of 3420	2324	Proforma Invoice.exe	88
PID 2324 wrote to memory of 3420	2324	Proforma Invoice.exe	88
PID 2324 wrote to memory of 3420	2324	Proforma Invoice.exe	88
PID 2324 wrote to memory of 3420	2324	Proforma Invoice.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Proforma Invoice.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Proforma Invoice.exe

C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe
  "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 1456
    3⤵
    - Program crash
    PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3420 -ip 3420
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice.exe.log

Filesize
1KB

MD5
bb3d30439ec1e6435c3eac4df8c1d2e3

SHA1
c901d5946e53ae0a9e2417c8dfaf5786a0037422

SHA256
182adf89e57f80a92db9a5e13105cd59544f37855ca35f98116a0182ddd3b2e6

SHA512
d3547aadf665ce2552b3dfa350b80a5e813aa346870fb2b05a3b998096eebf563143bffe964e0f7243761b79420d1adf02f735779902901d1a41a1f35c557572

Download Submit
memory/2324-10-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/2324-11-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/2324-3-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/2324-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/2324-5-0x0000000005020000-0x000000000502A000-memory.dmp

Filesize
40KB

Download
memory/2324-6-0x0000000005160000-0x00000000051B6000-memory.dmp

Filesize
344KB

Download
memory/2324-7-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/2324-8-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/2324-2-0x0000000004F80000-0x000000000501C000-memory.dmp

Filesize
624KB

Download
memory/2324-9-0x0000000005230000-0x000000000523A000-memory.dmp

Filesize
40KB

Download
memory/2324-4-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/2324-12-0x0000000000CC0000-0x0000000000D80000-memory.dmp

Filesize
768KB

Download
memory/2324-16-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/2324-1-0x00000000004B0000-0x00000000005CA000-memory.dmp

Filesize
1.1MB

Download
memory/3420-13-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3420-17-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-18-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-19-0x0000000006260000-0x0000000006422000-memory.dmp

Filesize
1.8MB

Download
memory/3420-20-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing