snakekeylogger | 36cdc6df8de12cc11fb6918cd4096d03e3d7b344eb0ad2d6f16bd2c0bcafbbda

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION_NOVQTRA071244PDF.scr
Size

1.4MB
MD5

9c6de69b3f4bd16dc76a37fd8a50aea4
SHA1

a5c6f87a637a6e5ffd073dc90a3cbfa0591160c1
SHA256

137ad88b1c43f6aa6f01b9b8a7b15027387d501dbe7af463a7b639f5abf3f116
SHA512

255dbc20c850d91eaccbe338b99ef1e144af703e6bc88c70f8d8d0f6dd2089cbbc6ddb2f8b4dccd6770c75bc21176ae41566eb995d58645ae0a86d42ef1d3841
SSDEEP

12288:Yx093lfiCZNsgg/iUZ0vXTWyzopB2QrJ30Bme47vAn+TbzeB:YIiFzj+vXhzop5rJ3gmYSe

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
G!!HFpD@N*]*nF

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/5032-1093-0x00000000026A0000-0x00000000026C4000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	checkip.dyndns.org

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2416	QUOTATION_NOVQTRA071244PDF.scr
2416	QUOTATION_NOVQTRA071244PDF.scr
2416	QUOTATION_NOVQTRA071244PDF.scr
2416	QUOTATION_NOVQTRA071244PDF.scr
5032	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	QUOTATION_NOVQTRA071244PDF.scr
Token: SeDebugPrivilege	2416	QUOTATION_NOVQTRA071244PDF.scr
Token: SeDebugPrivilege	5032	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 5032	2416	QUOTATION_NOVQTRA071244PDF.scr	32
PID 2416 wrote to memory of 5032	2416	QUOTATION_NOVQTRA071244PDF.scr	32
PID 2416 wrote to memory of 5032	2416	QUOTATION_NOVQTRA071244PDF.scr	32
PID 2416 wrote to memory of 5032	2416	QUOTATION_NOVQTRA071244PDF.scr	32
PID 5032 wrote to memory of 2360	5032	aspnet_compiler.exe	35
PID 5032 wrote to memory of 2360	5032	aspnet_compiler.exe	35
PID 5032 wrote to memory of 2360	5032	aspnet_compiler.exe	35
PID 2360 wrote to memory of 444	2360	cmd.exe	37
PID 2360 wrote to memory of 444	2360	cmd.exe	37
PID 2360 wrote to memory of 444	2360	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244PDF.scr
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_NOVQTRA071244PDF.scr" /S
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000000FD0000-0x000000000113E000-memory.dmp

Filesize
1.4MB

Download
memory/2416-2-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2416-3-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-4-0x000000001C600000-0x000000001C708000-memory.dmp

Filesize
1.0MB

Download
memory/2416-5-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-6-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-12-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-8-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-26-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-37-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-10-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-51-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-22-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-48-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-60-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-68-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-66-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-64-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-62-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-58-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-56-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-54-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-52-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-46-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-44-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-42-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-40-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-38-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-34-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-32-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-30-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-28-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-24-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-20-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-18-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-16-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-14-0x000000001C600000-0x000000001C702000-memory.dmp

Filesize
1.0MB

Download
memory/2416-1079-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-1081-0x0000000000A70000-0x0000000000ABC000-memory.dmp

Filesize
304KB

Download
memory/2416-1080-0x000000001A9C0000-0x000000001AA3A000-memory.dmp

Filesize
488KB

Download
memory/2416-1083-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2416-1084-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-1082-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-1085-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-1086-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2416-1087-0x0000000000F00000-0x0000000000F54000-memory.dmp

Filesize
336KB

Download
memory/2416-1091-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/5032-1089-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/5032-1090-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/5032-1092-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/5032-1093-0x00000000026A0000-0x00000000026C4000-memory.dmp

Filesize
144KB

Download
memory/5032-1094-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/5032-1095-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/5032-1096-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/5032-1097-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/5032-1098-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/5032-1099-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/5032-1101-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download