snakekeylogger | 6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d

Analysis

max time kernel
96s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d.exe
Size

1.1MB
MD5

d83e73b450e3efedb4ac939dda36d6d9
SHA1

74d88f6a12495ddc6b9efdae197f1208ac623c2c
SHA256

6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d
SHA512

78619767cc25849de677307eba98da2a3352ea5c65baed6801d59ac3560d6917ecaf8dcf36dcea10de387ca29d861821570c5a58c1d83d87295219df8f1bbfe3
SSDEEP

24576:hAHnh+eWsN3skA4RV1Hom2KXMmHaGZiH+TcsvmOP6P5:4h+ZkldoPK8YaGAeT58

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7277207626:AAGRDtfhvqxeEEY9C2dcl-J2e8y-ub9ECYU/sendMessage?chat_id=7128988401

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 33 IoCs

resource	yara_rule
behavioral2/memory/2520-45-0x0000000002C10000-0x0000000002C4A000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-47-0x00000000051C0000-0x00000000051F8000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-57-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-61-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-107-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-105-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-103-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-101-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-99-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-95-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-93-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-91-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-89-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-87-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-85-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-83-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-81-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-79-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-77-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-73-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-71-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-69-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-67-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-65-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-63-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-59-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-55-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-97-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-75-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-53-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-51-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-49-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger
behavioral2/memory/2520-48-0x00000000051C0000-0x00000000051F3000-memory.dmp	family_snakekeylogger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 2 IoCs

pid	Process
2232	name.exe
4092	name.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023416-13.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4092 set thread context of 2520	4092	name.exe	92

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	RegSvcs.exe
2520	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2232	name.exe
4092	name.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2232	432	6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d.exe	86
PID 432 wrote to memory of 2232	432	6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d.exe	86
PID 432 wrote to memory of 2232	432	6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d.exe	86
PID 2232 wrote to memory of 5028	2232	name.exe	88
PID 2232 wrote to memory of 5028	2232	name.exe	88
PID 2232 wrote to memory of 5028	2232	name.exe	88
PID 2232 wrote to memory of 4092	2232	name.exe	89
PID 2232 wrote to memory of 4092	2232	name.exe	89
PID 2232 wrote to memory of 4092	2232	name.exe	89
PID 4092 wrote to memory of 2520	4092	name.exe	92
PID 4092 wrote to memory of 2520	4092	name.exe	92
PID 4092 wrote to memory of 2520	4092	name.exe	92
PID 4092 wrote to memory of 2520	4092	name.exe	92
PID 2520 wrote to memory of 4504	2520	RegSvcs.exe	98
PID 2520 wrote to memory of 4504	2520	RegSvcs.exe	98
PID 2520 wrote to memory of 4504	2520	RegSvcs.exe	98
PID 4504 wrote to memory of 4660	4504	cmd.exe	100
PID 4504 wrote to memory of 4660	4504	cmd.exe	100
PID 4504 wrote to memory of 4660	4504	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d.exe
"C:\Users\Admin\AppData\Local\Temp\6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d.exe"
    3⤵
    PID:5028
- - C:\Users\Admin\AppData\Local\directory\name.exe
    "C:\Users\Admin\AppData\Local\directory\name.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\directory\name.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\antiprimer

Filesize
224KB

MD5
55cb9525fbfc9c359c7d425649891e5a

SHA1
701b0b55eed96d52d9b6a799c561560cfa997607

SHA256
92439fbc20d3deeaeaa8d6590dfd9e031c9cb19355026d88a526dde2fcead9d3

SHA512
66b3fcf07b702a4e91ed807d27b519cdae28903682c936eeca76985a01432fca47d3d10922433aab306481e1d211f7bc48957bc3b980b6f14abef45616cbb31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut9A0D.tmp

Filesize
214KB

MD5
1d782db22c2735dd7c16eb04b8bbe622

SHA1
9fa8a285114cf38f8f3b931d1bda647d975479f7

SHA256
ebc12022722e51f093eeeb2ba3226f23af9d6fe3d554c41ba4f6d6b3ee0cd0bf

SHA512
f4eea146593958955420b67121d378441044b063ee62283ee31aa6ea4441467330e521e8a01ce3578def5a7ea15e1a0d77c1459db0ff8d45ea9b52d6fb92e71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut9A0E.tmp

Filesize
9KB

MD5
c8038cab3a5e68779c2cca8bedf20fc3

SHA1
549e4bd2f112fd4fc8822869dbaa39513fa3adeb

SHA256
45fef5435ba913641952d2cc6fb04472cf962a3db565fe7ae7af1f502d7c647e

SHA512
ba596253d5ead4062caac371f3d476f74bebe8f92cfa6fa7d77ed0dbca0785147d4a223348d87b432d5cb86ca3ed3da4c59f6f108f3bfa27760f5b153fa46636

Download Submit
C:\Users\Admin\AppData\Local\Temp\nonagglutinant

Filesize
28KB

MD5
1369a67ad6515e30b27fb17c9476c451

SHA1
37791312ae9767db771a01b41c7bcf7e17987244

SHA256
494c0915348650945c530da3cfb8781a7b9218e49e65ba8f14f46cecb9452f1c

SHA512
b6195398522658ceb00b0b50ed902e06ede1ead4587db6a2cf90b37f0e471d85607b76a455d26625f62eeee7e83f08268facc5a931de71189556e9446dcc2b7b

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.1MB

MD5
d83e73b450e3efedb4ac939dda36d6d9

SHA1
74d88f6a12495ddc6b9efdae197f1208ac623c2c

SHA256
6ea25f40af71831d25ee3ee4d4772826686dd77fcf1f90b23192bcba759f0e5d

SHA512
78619767cc25849de677307eba98da2a3352ea5c65baed6801d59ac3560d6917ecaf8dcf36dcea10de387ca29d861821570c5a58c1d83d87295219df8f1bbfe3

Download Submit
memory/432-10-0x0000000001170000-0x0000000001174000-memory.dmp

Filesize
16KB

Download
memory/2520-91-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-640-0x0000000005340000-0x00000000053DC000-memory.dmp

Filesize
624KB

Download
memory/2520-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-42-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-45-0x0000000002C10000-0x0000000002C4A000-memory.dmp

Filesize
232KB

Download
memory/2520-46-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/2520-47-0x00000000051C0000-0x00000000051F8000-memory.dmp

Filesize
224KB

Download
memory/2520-57-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-61-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-107-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-105-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-103-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-101-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-99-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-95-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-93-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-89-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-87-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-85-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-83-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-43-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-81-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-79-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-77-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-73-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-71-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-69-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-67-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-65-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-63-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-59-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-55-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-97-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-75-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-53-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-51-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-49-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-48-0x00000000051C0000-0x00000000051F3000-memory.dmp

Filesize
204KB

Download
memory/2520-641-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2520-643-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download