snakekeylogger | d5dbb09b7ecb1ba95cc42d1757a2e72e0c4bbd86cca5dd43dabf3a0d9425432a

General

Target

Quotation-GINC-19-00204.exe
Size

878KB
MD5

0c285a3c76e1f5f981de6282fedf1919
SHA1

dc3f467ff13529349090edc5c1a9aa597bd65e41
SHA256

d5dbb09b7ecb1ba95cc42d1757a2e72e0c4bbd86cca5dd43dabf3a0d9425432a
SHA512

ac1fe6ac984c63adb12c15c27ca74f2120dfae406a2ba532c29d545ab56739b9ad8915447204e4770cc1d3e822ac0d7271e36c43d71c43e8a4b245878dd5a43d
SSDEEP

24576:miGFaq43NvCZXv/+2JujTrlCJREBJ/QOead:miGFu3Nvw3+XdrJ/qad

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
webmail.berkeleyindia.com
Port:
587
Username:
[email protected]
Password:
2szbiev2pciv

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/2000-296-0x00000000004A0000-0x00000000016F4000-memory.dmp	family_snakekeylogger
behavioral2/memory/2000-299-0x00000000004A0000-0x00000000004C6000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Quotation-GINC-19-00204.exe

Loads dropped DLL 1 IoCs

pid	Process
2796	Quotation-GINC-19-00204.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	drive.google.com
25	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2000	Quotation-GINC-19-00204.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2796	Quotation-GINC-19-00204.exe
2000	Quotation-GINC-19-00204.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 2000	2796	Quotation-GINC-19-00204.exe	90

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Arder.lnk	Quotation-GINC-19-00204.exe
File opened for modification	C:\Windows\resources\0409\figenkaktusses\Ea40.ini	Quotation-GINC-19-00204.exe
File opened for modification	C:\Windows\Fonts\heraclitic.Wom	Quotation-GINC-19-00204.exe
File opened for modification	C:\Windows\storsejlenes\blackweed.hor	Quotation-GINC-19-00204.exe
File opened for modification	C:\Windows\Arder.lnk	Quotation-GINC-19-00204.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation-GINC-19-00204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation-GINC-19-00204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2000	Quotation-GINC-19-00204.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2796	Quotation-GINC-19-00204.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	Quotation-GINC-19-00204.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2000	2796	Quotation-GINC-19-00204.exe	90
PID 2796 wrote to memory of 2000	2796	Quotation-GINC-19-00204.exe	90
PID 2796 wrote to memory of 2000	2796	Quotation-GINC-19-00204.exe	90
PID 2796 wrote to memory of 2000	2796	Quotation-GINC-19-00204.exe	90
PID 2796 wrote to memory of 2000	2796	Quotation-GINC-19-00204.exe	90
PID 2000 wrote to memory of 1512	2000	Quotation-GINC-19-00204.exe	94
PID 2000 wrote to memory of 1512	2000	Quotation-GINC-19-00204.exe	94
PID 2000 wrote to memory of 1512	2000	Quotation-GINC-19-00204.exe	94
PID 1512 wrote to memory of 3488	1512	cmd.exe	96
PID 1512 wrote to memory of 3488	1512	cmd.exe	96
PID 1512 wrote to memory of 3488	1512	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      System Location Discovery: System Language Discovery
      PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nskABE1.tmp\System.dll

Filesize
11KB

MD5
34442e1e0c2870341df55e1b7b3cccdc

SHA1
99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

SHA256
269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

SHA512
4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

Download Submit
C:\Windows\Arder.lnk

Filesize
722B

MD5
0f4bd53a63a7a4ed46df0f42a3d248ce

SHA1
875e1d20a386d7810e6befc7793054c357555fa8

SHA256
13752b5c6f1248c7fe42f8c1d11e8a8402034bbbd30168cfc5223446de5c7d59

SHA512
c18be80707390cf8c36912494a49eb209a7fdb2e8b6e8f35087e7fd17fe919fc436997a3fc83c1a51b10631cee158e273b919a63a1ccbd4ea92ddadaabf13633

Download Submit
memory/2000-296-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2000-298-0x000000007242E000-0x000000007242F000-memory.dmp

Filesize
4KB

Download
memory/2000-281-0x00000000778B8000-0x00000000778B9000-memory.dmp

Filesize
4KB

Download
memory/2000-282-0x00000000778D5000-0x00000000778D6000-memory.dmp

Filesize
4KB

Download
memory/2000-295-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2000-297-0x0000000077831000-0x0000000077951000-memory.dmp

Filesize
1.1MB

Download
memory/2000-306-0x0000000072420000-0x0000000072BD0000-memory.dmp

Filesize
7.7MB

Download
memory/2000-303-0x0000000072420000-0x0000000072BD0000-memory.dmp

Filesize
7.7MB

Download
memory/2000-299-0x00000000004A0000-0x00000000004C6000-memory.dmp

Filesize
152KB

Download
memory/2000-300-0x0000000038E00000-0x00000000393A4000-memory.dmp

Filesize
5.6MB

Download
memory/2000-301-0x0000000038C30000-0x0000000038CCC000-memory.dmp

Filesize
624KB

Download
memory/2000-302-0x0000000077831000-0x0000000077951000-memory.dmp

Filesize
1.1MB

Download
memory/2796-280-0x0000000074CD4000-0x0000000074CD5000-memory.dmp

Filesize
4KB

Download
memory/2796-279-0x0000000077831000-0x0000000077951000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing