snakekeylogger | d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7

General

Target

d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe
Size

244KB
MD5

5b9067516c6af0b47434bfbd4796504a
SHA1

ebb265c4582e263edcb43954a1bc4752d955d475
SHA256

d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7
SHA512

2ed40c3687d69817efa418f39ea408d9195531b5d8b9875e5bde569f5e941b0c17b4e83b2186b84f46b159d50b5f1559f7c94279b0a17695f694eeeca57f0776
SSDEEP

6144:ngbDaX+pQ7uDe2bQD3g+UP/hry30vBEZTJv:nghpleCQD3g+UP/sB1

Score

10^/10

snakekeylogger discovery keylogger persistence stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.efinancet.shop
Port:
587
Username:
[email protected]
Password:
EmeN]m^8=-oI
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/1928-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\note = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\office\\note.exe\""	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	checkip.dyndns.org
33	freegeoip.app
34	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1324 set thread context of 1928	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe	99

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3308	1928	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe
1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe
1928	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe
Token: SeDebugPrivilege	1928	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1928	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe	99
PID 1324 wrote to memory of 1928	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe	99
PID 1324 wrote to memory of 1928	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe	99
PID 1324 wrote to memory of 1928	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe	99
PID 1324 wrote to memory of 1928	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe	99
PID 1324 wrote to memory of 1928	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe	99
PID 1324 wrote to memory of 1928	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe	99
PID 1324 wrote to memory of 1928	1324	d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe	99

C:\Users\Admin\AppData\Local\Temp\d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe
"C:\Users\Admin\AppData\Local\Temp\d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe
  C:\Users\Admin\AppData\Local\Temp\d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1780
    3⤵
    - Program crash
    PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1928 -ip 1928
1⤵
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d101b7f3d7b606775eb8dfbf673b3d62f0246985c8ab2742cd0e54efbde1a3d7.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
memory/1324-7-0x0000000004CC0000-0x0000000004CDC000-memory.dmp

Filesize
112KB

Download
memory/1324-1-0x0000000000230000-0x0000000000272000-memory.dmp

Filesize
264KB

Download
memory/1324-3-0x0000000004C00000-0x0000000004C3A000-memory.dmp

Filesize
232KB

Download
memory/1324-4-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-5-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-0-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/1324-12-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1324-2-0x000000007490E000-0x000000007490F000-memory.dmp

Filesize
4KB

Download
memory/1928-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1928-11-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download
memory/1928-14-0x0000000004D90000-0x0000000004E2C000-memory.dmp

Filesize
624KB

Download
memory/1928-13-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1928-15-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download
memory/1928-16-0x0000000074900000-0x00000000750B0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads