snakekeylogger | eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe
Size

1.4MB
MD5

e717ed3845849e9a3bfbb53c8ecb87f2
SHA1

7ae3a696867e9fb90d2633672801ff8dcc6d0d6c
SHA256

eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd
SHA512

97aecfe61a881a1791a396ee92f6c3b18a7a21bcbfb80f5cda69f81678863119c2220eb102e7233512483f95c2588a0e5955762036ced72d658ab2b9a936b8da
SSDEEP

12288:h1Ql5Z04nr+u96ovJI3pmnbjvLb1H9u60Bj3tqxpopll2L+aB:hWLP9Z4GnLBH9/Qtqczha

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
sqlv#))OxYLxAXyhMyi

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/3864-1092-0x00000000005C0000-0x00000000005E4000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	checkip.dyndns.org

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe
3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe
3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe
3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe
3864	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe
Token: SeDebugPrivilege	3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe
Token: SeDebugPrivilege	3864	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3864	3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe	31
PID 3048 wrote to memory of 3864	3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe	31
PID 3048 wrote to memory of 3864	3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe	31
PID 3048 wrote to memory of 3864	3048	eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe	31
PID 3864 wrote to memory of 2880	3864	aspnet_compiler.exe	34
PID 3864 wrote to memory of 2880	3864	aspnet_compiler.exe	34
PID 3864 wrote to memory of 2880	3864	aspnet_compiler.exe	34
PID 2880 wrote to memory of 336	2880	cmd.exe	36
PID 2880 wrote to memory of 336	2880	cmd.exe	36
PID 2880 wrote to memory of 336	2880	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe
"C:\Users\Admin\AppData\Local\Temp\eb52bf1a53d28600ebc350ea1ffdffe1fb619ac9bd2070200fa8b39c8f30a8cd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3048-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/3048-1-0x0000000000E20000-0x0000000000F8E000-memory.dmp

Filesize
1.4MB

Download
memory/3048-2-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/3048-3-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-4-0x000000001BE10000-0x000000001BF18000-memory.dmp

Filesize
1.0MB

Download
memory/3048-5-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-20-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-44-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-68-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-66-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-64-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-62-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-60-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-58-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-56-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-54-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-52-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-50-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-48-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-46-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-42-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-40-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-38-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-36-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-34-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-32-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-30-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-28-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-26-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-24-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-22-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-18-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-16-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-14-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-12-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-10-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-8-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-6-0x000000001BE10000-0x000000001BF12000-memory.dmp

Filesize
1.0MB

Download
memory/3048-1079-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-1081-0x0000000000DB0000-0x0000000000DFC000-memory.dmp

Filesize
304KB

Download
memory/3048-1080-0x000000001B050000-0x000000001B0CA000-memory.dmp

Filesize
488KB

Download
memory/3048-1083-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-1084-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/3048-1082-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-1085-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-1086-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-1087-0x000000001AD30000-0x000000001AD84000-memory.dmp

Filesize
336KB

Download
memory/3048-1090-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3864-1089-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/3864-1091-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/3864-1092-0x00000000005C0000-0x00000000005E4000-memory.dmp

Filesize
144KB

Download
memory/3864-1093-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3864-1095-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3864-1094-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3864-1096-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3864-1097-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/3864-1099-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download