snakekeylogger | 3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3

General

Target

3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe
Size

640KB
MD5

9658dbdba747c4739e1b5c4bdcdb5d4d
SHA1

201c85ae456e4696d995ec232b43bb665f52fb32
SHA256

3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3
SHA512

b51e4ac8c75d3d38bc394145ca684d4267ffcf5130aac7f1a6182cee9648df55b30114087c21a0091531dd9983937e426f289c3fd892be1e88d0e97063ccdaa7
SSDEEP

12288:av/AYnEyHWiaHzNwsQg/8wvUwLywNaSctMXg:kYpmQ8whiMw

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
reptw.xyz
Port:
587
Username:
[email protected]
Password:
=W;D)NMYK*HI
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2572-6-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2572-5-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2572-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2572-12-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2572-10-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2228	2072	WerFault.exe	29
3056	2572	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2572	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe
Token: SeDebugPrivilege	2572	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30
PID 2072 wrote to memory of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30
PID 2072 wrote to memory of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30
PID 2072 wrote to memory of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30
PID 2072 wrote to memory of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30
PID 2072 wrote to memory of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30
PID 2072 wrote to memory of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30
PID 2072 wrote to memory of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30
PID 2072 wrote to memory of 2572	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	30
PID 2072 wrote to memory of 2228	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	31
PID 2072 wrote to memory of 2228	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	31
PID 2072 wrote to memory of 2228	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	31
PID 2072 wrote to memory of 2228	2072	3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe	31
PID 2572 wrote to memory of 3056	2572	vbc.exe	33
PID 2572 wrote to memory of 3056	2572	vbc.exe	33
PID 2572 wrote to memory of 3056	2572	vbc.exe	33
PID 2572 wrote to memory of 3056	2572	vbc.exe	33

C:\Users\Admin\AppData\Local\Temp\3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe
"C:\Users\Admin\AppData\Local\Temp\3000b3ec5d8622397d5b4288810e7215bfddcf2573023059fc84259b0bafa4f3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1552
    3⤵
    - Program crash
    PID:3056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 832
  2⤵
  - Program crash
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2072-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2072-1-0x0000000000DA0000-0x0000000000E46000-memory.dmp

Filesize
664KB

Download
memory/2072-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2072-15-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-4-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-7-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2572-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-10-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-13-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-14-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2572-16-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-17-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2572-18-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing