snakekeylogger | a27e182b447fdf32f2e0121f92cce6c426d133d239fb7de64e6ca773e5050b85

Analysis

max time kernel
117s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Copy.exe
Size

740KB
MD5

eb3d064d6075848f9477f4babd34ee6a
SHA1

168e2497e77fae7de19e89458b33acc32371d905
SHA256

6cfb5c2cba6ba8911866c3391977ab0c518c3154c749c5fea23a135488931e32
SHA512

c7a25725bc5c5737aa59528aa7a1a52d35effb4175cf3afac6a515e9be7cd3b6993e041c184ce03d1a588da6141b216f1a095817dea0adfbc2cbc9c6234fcfa0
SSDEEP

12288:gRtsaKRa5x6pZEZNr49YEtE63vRBksE3/Na+sxcgxmn52hREYuzlVr:7k5kLEZNXWZ3ZMhNn52YPR

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.innovativeenqg.co.in
Port:
25
Username:
[email protected]
Password:
%OTz$v%9
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/824-7-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 824	2588	Payment Copy.exe	85

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2588	Payment Copy.exe
824	RegSvcs.exe
824	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	Payment Copy.exe
Token: SeDebugPrivilege	824	RegSvcs.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 824	2588	Payment Copy.exe	85
PID 2588 wrote to memory of 824	2588	Payment Copy.exe	85
PID 2588 wrote to memory of 824	2588	Payment Copy.exe	85
PID 2588 wrote to memory of 824	2588	Payment Copy.exe	85
PID 2588 wrote to memory of 824	2588	Payment Copy.exe	85
PID 2588 wrote to memory of 824	2588	Payment Copy.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-7-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/824-14-0x00007FFEF6CE0000-0x00007FFEF77A1000-memory.dmp

Filesize
10.8MB

Download
memory/824-13-0x0000019C600A0000-0x0000019C60262000-memory.dmp

Filesize
1.8MB

Download
memory/824-12-0x0000019C47490000-0x0000019C474E0000-memory.dmp

Filesize
320KB

Download
memory/824-11-0x00007FFEF6CE0000-0x00007FFEF77A1000-memory.dmp

Filesize
10.8MB

Download
memory/824-9-0x00007FFEF6CE0000-0x00007FFEF77A1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-6-0x000000001D8F0000-0x000000001D956000-memory.dmp

Filesize
408KB

Download
memory/2588-0-0x0000000000C30000-0x0000000000CEE000-memory.dmp

Filesize
760KB

Download
memory/2588-5-0x0000000003760000-0x0000000003774000-memory.dmp

Filesize
80KB

Download
memory/2588-10-0x00007FFEF6CE0000-0x00007FFEF77A1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-4-0x000000001CAE0000-0x000000001CAF6000-memory.dmp

Filesize
88KB

Download
memory/2588-3-0x000000001C8B0000-0x000000001C8D4000-memory.dmp

Filesize
144KB

Download
memory/2588-2-0x00007FFEF6CE0000-0x00007FFEF77A1000-memory.dmp

Filesize
10.8MB

Download
memory/2588-1-0x00007FFEF6CE3000-0x00007FFEF6CE5000-memory.dmp

Filesize
8KB

Download