snakekeylogger | 5c9fc59003603b1af1ef6f29731f0c8531cef2e94103485686837d676b1f474d

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rQUOTATION_NOVQTRA071244__PDF.scr
Size

163KB
MD5

96349e5e49271d39ffcf6ec9c50ceb59
SHA1

5b9953512ccbbbf7215d4141c1ded9dbdc0f70dd
SHA256

5c9fc59003603b1af1ef6f29731f0c8531cef2e94103485686837d676b1f474d
SHA512

6bd167d542e50e77f8d057f7ade878c0f9d1a02030090a4515a97c20ca7ecb2fbdf8f19073cde3eeea7cb3344fd2eaa96d9f0a3829bf44f3d8cebf9886f505d4
SSDEEP

3072:1RzX9LAZc4Uk/172UL1gH6m+Gvq4EwOCk:1RzX9Z2daUL1gH6mPi4EwO

Score

10^/10

snakekeylogger collection keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
G!!HFpD6EwDq*nF

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2996-1099-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

rQUOTATION_NOVQTRA071244__PDF.scr

description pid process target process

PID 1712 set thread context of 2996 1712 rQUOTATION_NOVQTRA071244__PDF.scr aspnet_compiler.exe

flow	ioc
10	checkip.dyndns.org

description	pid	process	target process
PID 1712 set thread context of 2996	1712	rQUOTATION_NOVQTRA071244__PDF.scr	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rQUOTATION_NOVQTRA071244__PDF.scraspnet_compiler.exe

pid	process
1712	rQUOTATION_NOVQTRA071244__PDF.scr
1712	rQUOTATION_NOVQTRA071244__PDF.scr
1712	rQUOTATION_NOVQTRA071244__PDF.scr
1712	rQUOTATION_NOVQTRA071244__PDF.scr
2996	aspnet_compiler.exe
2996	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rQUOTATION_NOVQTRA071244__PDF.scraspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	1712	rQUOTATION_NOVQTRA071244__PDF.scr
Token: SeDebugPrivilege	1712	rQUOTATION_NOVQTRA071244__PDF.scr
Token: SeDebugPrivilege	2996	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rQUOTATION_NOVQTRA071244__PDF.scr

description	pid	process	target process
PID 1712 wrote to memory of 2996	1712	rQUOTATION_NOVQTRA071244__PDF.scr	aspnet_compiler.exe
PID 1712 wrote to memory of 2996	1712	rQUOTATION_NOVQTRA071244__PDF.scr	aspnet_compiler.exe
PID 1712 wrote to memory of 2996	1712	rQUOTATION_NOVQTRA071244__PDF.scr	aspnet_compiler.exe
PID 1712 wrote to memory of 2996	1712	rQUOTATION_NOVQTRA071244__PDF.scr	aspnet_compiler.exe
PID 1712 wrote to memory of 2996	1712	rQUOTATION_NOVQTRA071244__PDF.scr	aspnet_compiler.exe
PID 1712 wrote to memory of 2996	1712	rQUOTATION_NOVQTRA071244__PDF.scr	aspnet_compiler.exe
PID 1712 wrote to memory of 2996	1712	rQUOTATION_NOVQTRA071244__PDF.scr	aspnet_compiler.exe

outlook_office_path 1 IoCs

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

outlook_win_path 1 IoCs

Processes:

aspnet_compiler.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\rQUOTATION_NOVQTRA071244__PDF.scr
"C:\Users\Admin\AppData\Local\Temp\rQUOTATION_NOVQTRA071244__PDF.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-0-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

Filesize
4KB

Download
memory/1712-1-0x0000000000A60000-0x0000000000A8E000-memory.dmp

Filesize
184KB

Download
memory/1712-2-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/1712-3-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-4-0x000000001AE40000-0x000000001AF2E000-memory.dmp

Filesize
952KB

Download
memory/1712-5-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-6-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-8-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-10-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-12-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-14-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-16-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-18-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-20-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-22-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-24-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-26-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-28-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-30-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-32-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-34-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-36-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-38-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-40-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-42-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-44-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-46-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-48-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-50-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-52-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-54-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-56-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-58-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-60-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-62-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-64-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-68-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-66-0x000000001AE40000-0x000000001AF29000-memory.dmp

Filesize
932KB

Download
memory/1712-1079-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-1081-0x0000000002190000-0x00000000021DC000-memory.dmp

Filesize
304KB

Download
memory/1712-1080-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1712-1082-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-1084-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

Filesize
4KB

Download
memory/1712-1083-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-1085-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-1086-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-1087-0x00000000021E0000-0x0000000002234000-memory.dmp

Filesize
336KB

Download
memory/1712-1097-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/1712-1096-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-1098-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-1099-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/2996-1100-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2996-1101-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp

Filesize
9.9MB

Download