snakekeylogger | e2eb6ae5ae0c59c2c20cded55d33293fc3a88431312ace0a943ae074991ff1d5

Analysis

max time kernel
108s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PROFORMA FATURA pdf.exe
Size

2.3MB
MD5

a30e9b58b16c609e63db086c39fc5c83
SHA1

c4d0933d90088ba673e17bcff3efd52dace7e8df
SHA256

f278e9e47422ea40eda7002194f17872643ab88366e84124813f161b28be9c09
SHA512

2a1bdda4e3c2ad2ad312acd87d16f4ccf9dc6ce3b50941d1771ef53786da9f91c71629096c3403b7b48cdb9ad215facf958a1353c5f0380b846987c9da90ea7b
SSDEEP

49152:tDCNmXVrxzzilHH+/EZvwN/Idbze5QYpiDLT+s:qHH+cZvPd/ew

Score

10^/10

snakekeylogger collection keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7763642353:AAFJAT5gGdyzAPlr52ZFpaxd8BnWyDl4dX8/sendMessage?chat_id=6012493587

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/1620-1092-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1052 created 3496	1052	PROFORMA FATURA pdf.exe	56

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hzvunihikjt = "C:\\Users\\Admin\\AppData\\Roaming\\Hzvunihikjt.exe"	PROFORMA FATURA pdf.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 1620	1052	PROFORMA FATURA pdf.exe	82

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1052	PROFORMA FATURA pdf.exe
1620	MSBuild.exe
1620	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	PROFORMA FATURA pdf.exe
Token: SeDebugPrivilege	1052	PROFORMA FATURA pdf.exe
Token: SeDebugPrivilege	1620	MSBuild.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1620	1052	PROFORMA FATURA pdf.exe	82
PID 1052 wrote to memory of 1620	1052	PROFORMA FATURA pdf.exe	82
PID 1052 wrote to memory of 1620	1052	PROFORMA FATURA pdf.exe	82
PID 1052 wrote to memory of 1620	1052	PROFORMA FATURA pdf.exe	82
PID 1052 wrote to memory of 1620	1052	PROFORMA FATURA pdf.exe	82
PID 1052 wrote to memory of 1620	1052	PROFORMA FATURA pdf.exe	82

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PROFORMA FATURA pdf.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1052
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1052-0-0x00000126B9EA0000-0x00000126BA0EE000-memory.dmp

Filesize
2.3MB

Download
memory/1052-1-0x00007FFF213E3000-0x00007FFF213E5000-memory.dmp

Filesize
8KB

Download
memory/1052-2-0x00000126BA4B0000-0x00000126BA59C000-memory.dmp

Filesize
944KB

Download
memory/1052-3-0x00000126D4830000-0x00000126D4916000-memory.dmp

Filesize
920KB

Download
memory/1052-4-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-17-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-63-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-49-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-29-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-27-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-25-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-23-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-21-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-19-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-15-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-13-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-9-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-7-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-5-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-11-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-67-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-114-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-65-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-61-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-59-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-57-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-55-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-53-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-52-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-47-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-45-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-43-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-41-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-39-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-37-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-35-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-33-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-31-0x00000126D4830000-0x00000126D4911000-memory.dmp

Filesize
900KB

Download
memory/1052-1079-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-1081-0x00000126BBF80000-0x00000126BBFCC000-memory.dmp

Filesize
304KB

Download
memory/1052-1080-0x00000126BBDD0000-0x00000126BBE32000-memory.dmp

Filesize
392KB

Download
memory/1052-1085-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-1086-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-1087-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-1088-0x00000126D47A0000-0x00000126D47F4000-memory.dmp

Filesize
336KB

Download
memory/1052-1091-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1620-1092-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/1620-1093-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1620-1094-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1620-1095-0x000001537F690000-0x000001537F6E0000-memory.dmp

Filesize
320KB

Download
memory/1620-1096-0x000001537F8F0000-0x000001537FAB2000-memory.dmp

Filesize
1.8MB

Download
memory/1620-1097-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1620-1098-0x00007FFF213E0000-0x00007FFF21EA1000-memory.dmp

Filesize
10.8MB

Download