snakekeylogger | d5dbb09b7ecb1ba95cc42d1757a2e72e0c4bbd86cca5dd43dabf3a0d9425432a

General

Target

Quotation-GINC-19-00204.exe
Size

878KB
MD5

0c285a3c76e1f5f981de6282fedf1919
SHA1

dc3f467ff13529349090edc5c1a9aa597bd65e41
SHA256

d5dbb09b7ecb1ba95cc42d1757a2e72e0c4bbd86cca5dd43dabf3a0d9425432a
SHA512

ac1fe6ac984c63adb12c15c27ca74f2120dfae406a2ba532c29d545ab56739b9ad8915447204e4770cc1d3e822ac0d7271e36c43d71c43e8a4b245878dd5a43d
SSDEEP

24576:miGFaq43NvCZXv/+2JujTrlCJREBJ/QOead:miGFu3Nvw3+XdrJ/qad

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
webmail.berkeleyindia.com
Port:
587
Username:
[email protected]
Password:
2szbiev2pciv

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/2720-297-0x00000000004A0000-0x00000000016F4000-memory.dmp	family_snakekeylogger
behavioral2/memory/2720-300-0x00000000004A0000-0x00000000004C6000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Quotation-GINC-19-00204.exe

Loads dropped DLL 1 IoCs

pid	Process
4768	Quotation-GINC-19-00204.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	drive.google.com
24	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	checkip.dyndns.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2720	Quotation-GINC-19-00204.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4768	Quotation-GINC-19-00204.exe
2720	Quotation-GINC-19-00204.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4768 set thread context of 2720	4768	Quotation-GINC-19-00204.exe	90

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\figenkaktusses\Ea40.ini	Quotation-GINC-19-00204.exe
File opened for modification	C:\Windows\Fonts\heraclitic.Wom	Quotation-GINC-19-00204.exe
File opened for modification	C:\Windows\storsejlenes\blackweed.hor	Quotation-GINC-19-00204.exe
File opened for modification	C:\Windows\Arder.lnk	Quotation-GINC-19-00204.exe
File created	C:\Windows\Arder.lnk	Quotation-GINC-19-00204.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation-GINC-19-00204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quotation-GINC-19-00204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2720	Quotation-GINC-19-00204.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4768	Quotation-GINC-19-00204.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	Quotation-GINC-19-00204.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2720	4768	Quotation-GINC-19-00204.exe	90
PID 4768 wrote to memory of 2720	4768	Quotation-GINC-19-00204.exe	90
PID 4768 wrote to memory of 2720	4768	Quotation-GINC-19-00204.exe	90
PID 4768 wrote to memory of 2720	4768	Quotation-GINC-19-00204.exe	90
PID 4768 wrote to memory of 2720	4768	Quotation-GINC-19-00204.exe	90
PID 2720 wrote to memory of 3948	2720	Quotation-GINC-19-00204.exe	96
PID 2720 wrote to memory of 3948	2720	Quotation-GINC-19-00204.exe	96
PID 2720 wrote to memory of 3948	2720	Quotation-GINC-19-00204.exe	96
PID 3948 wrote to memory of 1044	3948	cmd.exe	98
PID 3948 wrote to memory of 1044	3948	cmd.exe	98
PID 3948 wrote to memory of 1044	3948	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Quotation-GINC-19-00204.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      System Location Discovery: System Language Discovery
      PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsv957A.tmp\System.dll

Filesize
11KB

MD5
34442e1e0c2870341df55e1b7b3cccdc

SHA1
99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c

SHA256
269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1

SHA512
4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51

Download Submit
C:\Windows\Arder.lnk

Filesize
726B

MD5
494254afe484cb2a9846dd9982017355

SHA1
1c4e61a24041dc8acffe778a81ebbb1cfd76a18d

SHA256
60b1692d995fb102bbd864cd082e8703ec3151df4fcdae2526c6e133e15a19dd

SHA512
d8bd73c7809fd9365db9590ddd11f453c746f957ae096ca9da7fd5c7892ff77d9eeb06ee85a20aa84688ad5460c960ffdc54b0dd14534a89ede5c4ec9315a5ee

Download Submit
memory/2720-301-0x0000000038E00000-0x00000000393A4000-memory.dmp

Filesize
5.6MB

Download
memory/2720-297-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2720-311-0x0000000072110000-0x00000000728C0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-282-0x00000000775A8000-0x00000000775A9000-memory.dmp

Filesize
4KB

Download
memory/2720-283-0x00000000775C5000-0x00000000775C6000-memory.dmp

Filesize
4KB

Download
memory/2720-293-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/2720-298-0x0000000077521000-0x0000000077641000-memory.dmp

Filesize
1.1MB

Download
memory/2720-306-0x0000000072110000-0x00000000728C0000-memory.dmp

Filesize
7.7MB

Download
memory/2720-299-0x000000007211E000-0x000000007211F000-memory.dmp

Filesize
4KB

Download
memory/2720-300-0x00000000004A0000-0x00000000004C6000-memory.dmp

Filesize
152KB

Download
memory/2720-305-0x0000000077521000-0x0000000077641000-memory.dmp

Filesize
1.1MB

Download
memory/2720-302-0x0000000038CA0000-0x0000000038D3C000-memory.dmp

Filesize
624KB

Download
memory/2720-303-0x0000000072110000-0x00000000728C0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-279-0x0000000077521000-0x0000000077641000-memory.dmp

Filesize
1.1MB

Download
memory/4768-281-0x00000000749C4000-0x00000000749C5000-memory.dmp

Filesize
4KB

Download
memory/4768-280-0x0000000077521000-0x0000000077641000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing