snakekeylogger | 8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe
Size

949KB
MD5

d5b3d11c19dcb6e3125415c0dedfe2b6
SHA1

f4c8309c80c85b8d1316fb88a90102d81c3474fd
SHA256

8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7
SHA512

d1e9e87e82a29c4d24bc2ea25740032b93af7ee048309c9ed2e249578dca8b7558fe561fb25ec22eeceea62fb2b05607fad6c5eff724657612f12dc109f3f107
SSDEEP

12288:CDN+hU6YasBZbnT9pf0K+Dg0I6d3oxs0P3hCYbVVUhyeb5zXre:CfBZbnJFx+Dp2FUjVz6

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
granjaarmengol.com
Port:
587
Username:
[email protected]
Password:
28112811Ab
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/468-323-0x0000000040000000-0x0000000040024000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3528 set thread context of 468	3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe	90

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe
3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe
3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe
468	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe
Token: SeDebugPrivilege	468	InstallUtil.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 468	3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe	90
PID 3528 wrote to memory of 468	3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe	90
PID 3528 wrote to memory of 468	3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe	90
PID 3528 wrote to memory of 468	3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe	90
PID 3528 wrote to memory of 468	3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe	90
PID 3528 wrote to memory of 468	3528	8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe	90

C:\Users\Admin\AppData\Local\Temp\8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe
"C:\Users\Admin\AppData\Local\Temp\8248df24bfd99d9869ec94c4d3321b61171a3c5137921bdd254e40118c50d0b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/468-323-0x0000000040000000-0x0000000040024000-memory.dmp

Filesize
144KB

Download
memory/3528-0-0x0000000002243000-0x0000000002245000-memory.dmp

Filesize
8KB

Download
memory/3528-1-0x0000000000AB0000-0x0000000000BA2000-memory.dmp

Filesize
968KB

Download
memory/3528-2-0x0000000022780000-0x000000002281E000-memory.dmp

Filesize
632KB

Download
memory/3528-3-0x0000000002240000-0x0000000002D01000-memory.dmp

Filesize
10.8MB

Download
memory/3528-4-0x0000000002243000-0x0000000002245000-memory.dmp

Filesize
8KB

Download
memory/3528-5-0x0000000000840000-0x00000000008A5000-memory.dmp

Filesize
404KB

Download
memory/3528-6-0x00000000008B0000-0x000000000096E000-memory.dmp

Filesize
760KB

Download
memory/3528-10-0x0000000001530000-0x00000000015CE000-memory.dmp

Filesize
632KB

Download
memory/3528-12-0x0000000001B10000-0x0000000001C3A000-memory.dmp

Filesize
1.2MB

Download
memory/3528-13-0x0000000002040000-0x00000000020EA000-memory.dmp

Filesize
680KB

Download
memory/3528-15-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/3528-25-0x0000000003130000-0x0000000003230000-memory.dmp

Filesize
1024KB

Download
memory/3528-30-0x000000001F780000-0x000000001F81E000-memory.dmp

Filesize
632KB

Download
memory/3528-37-0x0000000022760000-0x0000000022779000-memory.dmp

Filesize
100KB

Download
memory/3528-36-0x0000000022730000-0x000000002275C000-memory.dmp

Filesize
176KB

Download
memory/3528-38-0x0000000022830000-0x0000000022F6F000-memory.dmp

Filesize
7.2MB

Download
memory/3528-35-0x0000000022680000-0x000000002268C000-memory.dmp

Filesize
48KB

Download
memory/3528-42-0x00000000241D0000-0x0000000024280000-memory.dmp

Filesize
704KB

Download
memory/3528-44-0x0000000024A20000-0x0000000024CA3000-memory.dmp

Filesize
2.5MB

Download
memory/3528-49-0x0000000026020000-0x00000000260C9000-memory.dmp

Filesize
676KB

Download
memory/3528-48-0x0000000025C20000-0x0000000025DD4000-memory.dmp

Filesize
1.7MB

Download
memory/3528-47-0x0000000024600000-0x0000000024608000-memory.dmp

Filesize
32KB

Download
memory/3528-46-0x00000000254D0000-0x000000002559D000-memory.dmp

Filesize
820KB

Download
memory/3528-45-0x00000000253B0000-0x00000000254C5000-memory.dmp

Filesize
1.1MB

Download
memory/3528-43-0x00000000243F0000-0x0000000024599000-memory.dmp

Filesize
1.7MB

Download
memory/3528-41-0x00000000241B0000-0x00000000241CF000-memory.dmp

Filesize
124KB

Download
memory/3528-40-0x0000000023700000-0x00000000237AD000-memory.dmp

Filesize
692KB

Download
memory/3528-39-0x0000000022F70000-0x0000000023700000-memory.dmp

Filesize
7.6MB

Download
memory/3528-34-0x0000000022650000-0x0000000022677000-memory.dmp

Filesize
156KB

Download
memory/3528-33-0x000000001F8D0000-0x000000001F904000-memory.dmp

Filesize
208KB

Download
memory/3528-32-0x0000000004C30000-0x0000000004C48000-memory.dmp

Filesize
96KB

Download
memory/3528-31-0x000000001F920000-0x000000001FA6E000-memory.dmp

Filesize
1.3MB

Download
memory/3528-29-0x0000000004B90000-0x0000000004C13000-memory.dmp

Filesize
524KB

Download
memory/3528-17-0x0000000002240000-0x0000000002D01000-memory.dmp

Filesize
10.8MB

Download
memory/3528-27-0x000000001F2F0000-0x000000001F41A000-memory.dmp

Filesize
1.2MB

Download
memory/3528-26-0x0000000003440000-0x0000000003470000-memory.dmp

Filesize
192KB

Download
memory/3528-24-0x0000000003090000-0x000000000312D000-memory.dmp

Filesize
628KB

Download
memory/3528-23-0x0000000002F80000-0x000000000308B000-memory.dmp

Filesize
1.0MB

Download
memory/3528-22-0x0000000002200000-0x000000000222B000-memory.dmp

Filesize
172KB

Download
memory/3528-21-0x00000000021D0000-0x00000000021F2000-memory.dmp

Filesize
136KB

Download
memory/3528-20-0x0000000002EC0000-0x0000000002F7D000-memory.dmp

Filesize
756KB

Download
memory/3528-28-0x000000001F420000-0x000000001F775000-memory.dmp

Filesize
3.3MB

Download
memory/3528-19-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/3528-18-0x0000000002D10000-0x0000000002EB1000-memory.dmp

Filesize
1.6MB

Download
memory/3528-14-0x0000000001A10000-0x0000000001A65000-memory.dmp

Filesize
340KB

Download
memory/3528-16-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/3528-11-0x0000000001A70000-0x0000000001B0B000-memory.dmp

Filesize
620KB

Download
memory/3528-9-0x0000000001040000-0x00000000010EC000-memory.dmp

Filesize
688KB

Download
memory/3528-8-0x0000000000FB0000-0x0000000001040000-memory.dmp

Filesize
576KB

Download
memory/3528-7-0x0000000001260000-0x0000000001529000-memory.dmp

Filesize
2.8MB

Download
memory/3528-140-0x0000000026120000-0x000000002613A000-memory.dmp

Filesize
104KB

Download
memory/3528-141-0x0000000026140000-0x0000000026146000-memory.dmp

Filesize
24KB

Download
memory/3528-324-0x0000000002240000-0x0000000002D01000-memory.dmp

Filesize
10.8MB

Download