snakekeylogger | 8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FAKTURA_.EXE.exe
Size

949KB
MD5

d5b3d11c19dcb6e3125415c0dedfe2b6
SHA1

f4c8309c80c85b8d1316fb88a90102d81c3474fd
SHA256

8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7
SHA512

d1e9e87e82a29c4d24bc2ea25740032b93af7ee048309c9ed2e249578dca8b7558fe561fb25ec22eeceea62fb2b05607fad6c5eff724657612f12dc109f3f107
SSDEEP

12288:CDN+hU6YasBZbnT9pf0K+Dg0I6d3oxs0P3hCYbVVUhyeb5zXre:CfBZbnJFx+Dp2FUjVz6

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
granjaarmengol.com
Port:
587
Username:
[email protected]
Password:
28112811Ab
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/3036-323-0x0000000040000000-0x0000000040024000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4744 set thread context of 3036	4744	FAKTURA_.EXE.exe	90

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4744	FAKTURA_.EXE.exe
4744	FAKTURA_.EXE.exe
4744	FAKTURA_.EXE.exe
3036	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	FAKTURA_.EXE.exe
Token: SeDebugPrivilege	3036	InstallUtil.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3036	4744	FAKTURA_.EXE.exe	90
PID 4744 wrote to memory of 3036	4744	FAKTURA_.EXE.exe	90
PID 4744 wrote to memory of 3036	4744	FAKTURA_.EXE.exe	90
PID 4744 wrote to memory of 3036	4744	FAKTURA_.EXE.exe	90
PID 4744 wrote to memory of 3036	4744	FAKTURA_.EXE.exe	90
PID 4744 wrote to memory of 3036	4744	FAKTURA_.EXE.exe	90

C:\Users\Admin\AppData\Local\Temp\FAKTURA_.EXE.exe
"C:\Users\Admin\AppData\Local\Temp\FAKTURA_.EXE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-323-0x0000000040000000-0x0000000040024000-memory.dmp

Filesize
144KB

Download
memory/4744-0-0x0000000002393000-0x0000000002395000-memory.dmp

Filesize
8KB

Download
memory/4744-1-0x0000000000E30000-0x0000000000F22000-memory.dmp

Filesize
968KB

Download
memory/4744-2-0x00000000228F0000-0x000000002298E000-memory.dmp

Filesize
632KB

Download
memory/4744-3-0x0000000002390000-0x0000000002E51000-memory.dmp

Filesize
10.8MB

Download
memory/4744-4-0x0000000002393000-0x0000000002395000-memory.dmp

Filesize
8KB

Download
memory/4744-5-0x0000000000780000-0x00000000007E5000-memory.dmp

Filesize
404KB

Download
memory/4744-6-0x0000000001060000-0x000000000111E000-memory.dmp

Filesize
760KB

Download
memory/4744-7-0x0000000001120000-0x00000000013E9000-memory.dmp

Filesize
2.8MB

Download
memory/4744-8-0x0000000001500000-0x0000000001590000-memory.dmp

Filesize
576KB

Download
memory/4744-10-0x00000000016B0000-0x000000000174E000-memory.dmp

Filesize
632KB

Download
memory/4744-16-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/4744-14-0x0000000001C30000-0x0000000001C85000-memory.dmp

Filesize
340KB

Download
memory/4744-13-0x0000000001DC0000-0x0000000001E6A000-memory.dmp

Filesize
680KB

Download
memory/4744-17-0x0000000002390000-0x0000000002E51000-memory.dmp

Filesize
10.8MB

Download
memory/4744-30-0x000000001F850000-0x000000001F8EE000-memory.dmp

Filesize
632KB

Download
memory/4744-37-0x0000000022890000-0x00000000228A9000-memory.dmp

Filesize
100KB

Download
memory/4744-36-0x0000000022860000-0x000000002288C000-memory.dmp

Filesize
176KB

Download
memory/4744-35-0x00000000227C0000-0x00000000227CC000-memory.dmp

Filesize
48KB

Download
memory/4744-34-0x0000000022790000-0x00000000227B7000-memory.dmp

Filesize
156KB

Download
memory/4744-33-0x000000001FA10000-0x000000001FA44000-memory.dmp

Filesize
208KB

Download
memory/4744-31-0x000000001FA60000-0x000000001FBAE000-memory.dmp

Filesize
1.3MB

Download
memory/4744-28-0x000000001F4F0000-0x000000001F845000-memory.dmp

Filesize
3.3MB

Download
memory/4744-27-0x0000000004E30000-0x0000000004F5A000-memory.dmp

Filesize
1.2MB

Download
memory/4744-26-0x0000000003580000-0x00000000035B0000-memory.dmp

Filesize
192KB

Download
memory/4744-25-0x0000000003280000-0x0000000003380000-memory.dmp

Filesize
1024KB

Download
memory/4744-24-0x00000000031E0000-0x000000000327D000-memory.dmp

Filesize
628KB

Download
memory/4744-23-0x00000000030D0000-0x00000000031DB000-memory.dmp

Filesize
1.0MB

Download
memory/4744-32-0x0000000004DF0000-0x0000000004E08000-memory.dmp

Filesize
96KB

Download
memory/4744-22-0x0000000001F40000-0x0000000001F6B000-memory.dmp

Filesize
172KB

Download
memory/4744-21-0x0000000001F10000-0x0000000001F32000-memory.dmp

Filesize
136KB

Download
memory/4744-20-0x0000000001EF0000-0x0000000001F06000-memory.dmp

Filesize
88KB

Download
memory/4744-19-0x0000000003010000-0x00000000030CD000-memory.dmp

Filesize
756KB

Download
memory/4744-29-0x0000000004F60000-0x0000000004FE3000-memory.dmp

Filesize
524KB

Download
memory/4744-18-0x0000000002E60000-0x0000000003001000-memory.dmp

Filesize
1.6MB

Download
memory/4744-12-0x0000000001C90000-0x0000000001DBA000-memory.dmp

Filesize
1.2MB

Download
memory/4744-15-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/4744-11-0x0000000001B50000-0x0000000001BEB000-memory.dmp

Filesize
620KB

Download
memory/4744-9-0x0000000001590000-0x000000000163C000-memory.dmp

Filesize
688KB

Download
memory/4744-38-0x00000000229A0000-0x00000000230DF000-memory.dmp

Filesize
7.2MB

Download
memory/4744-41-0x00000000228C0000-0x00000000228DF000-memory.dmp

Filesize
124KB

Download
memory/4744-39-0x00000000230E0000-0x0000000023870000-memory.dmp

Filesize
7.6MB

Download
memory/4744-44-0x0000000024CD0000-0x0000000024F53000-memory.dmp

Filesize
2.5MB

Download
memory/4744-43-0x0000000024530000-0x00000000246D9000-memory.dmp

Filesize
1.7MB

Download
memory/4744-42-0x0000000024310000-0x00000000243C0000-memory.dmp

Filesize
704KB

Download
memory/4744-40-0x0000000023870000-0x000000002391D000-memory.dmp

Filesize
692KB

Download
memory/4744-47-0x00000000248B0000-0x00000000248B8000-memory.dmp

Filesize
32KB

Download
memory/4744-46-0x00000000247E0000-0x00000000248AD000-memory.dmp

Filesize
820KB

Download
memory/4744-45-0x0000000024F60000-0x0000000025075000-memory.dmp

Filesize
1.1MB

Download
memory/4744-49-0x0000000025FB0000-0x0000000026059000-memory.dmp

Filesize
676KB

Download
memory/4744-48-0x0000000025CF0000-0x0000000025EA4000-memory.dmp

Filesize
1.7MB

Download
memory/4744-140-0x00000000260E0000-0x00000000260FA000-memory.dmp

Filesize
104KB

Download
memory/4744-141-0x0000000026100000-0x0000000026106000-memory.dmp

Filesize
24KB

Download
memory/4744-324-0x0000000002390000-0x0000000002E51000-memory.dmp

Filesize
10.8MB

Download