snakekeylogger | 90848c37456f162fccbaf5d52c476fdd73d42522701461bf37a1d55bb31f564b

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION_DECQTRA071244PDF.scr.exe
Size

1.5MB
MD5

fecf54a27dcb1e2b7efbebf01a6c6c48
SHA1

d1fe59233d618c9edf97dd138bcdf48dfc3c3f07
SHA256

90848c37456f162fccbaf5d52c476fdd73d42522701461bf37a1d55bb31f564b
SHA512

793addb938b2884e07fc1bcc23a4d5f60c14791c2b42e59d91240a2ee47adc0345d4d9a695bc49953f5eb6653d241dd2e15e83246e3c44c674c16a16f1bd288c
SSDEEP

24576:S45atrPaNBwGaO0bAuLz+uw2B+3ohnqtH0tGf:SCQP4paOQvND+3ohw0t2

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
JOYEss..&UK55@@!!
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/4700-1192-0x0000000000AC0000-0x0000000000AE4000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2340	QUOTATION_DECQTRA071244PDF.scr.exe
4700	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	QUOTATION_DECQTRA071244PDF.scr.exe
Token: SeDebugPrivilege	2340	QUOTATION_DECQTRA071244PDF.scr.exe
Token: SeDebugPrivilege	4700	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4700	2340	QUOTATION_DECQTRA071244PDF.scr.exe	31
PID 2340 wrote to memory of 4700	2340	QUOTATION_DECQTRA071244PDF.scr.exe	31
PID 2340 wrote to memory of 4700	2340	QUOTATION_DECQTRA071244PDF.scr.exe	31
PID 2340 wrote to memory of 4700	2340	QUOTATION_DECQTRA071244PDF.scr.exe	31
PID 4700 wrote to memory of 4992	4700	aspnet_compiler.exe	33
PID 4700 wrote to memory of 4992	4700	aspnet_compiler.exe	33
PID 4700 wrote to memory of 4992	4700	aspnet_compiler.exe	33
PID 4992 wrote to memory of 5028	4992	cmd.exe	35
PID 4992 wrote to memory of 5028	4992	cmd.exe	35
PID 4992 wrote to memory of 5028	4992	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\QUOTATION_DECQTRA071244PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_DECQTRA071244PDF.scr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2340-0-0x000007FEF4F13000-0x000007FEF4F14000-memory.dmp

Filesize
4KB

Download
memory/2340-1-0x00000000011F0000-0x000000000136A000-memory.dmp

Filesize
1.5MB

Download
memory/2340-2-0x000000001C270000-0x000000001C37A000-memory.dmp

Filesize
1.0MB

Download
memory/2340-3-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-4-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-5-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-7-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-9-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-11-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-13-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-15-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-17-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-19-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-21-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-25-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-37-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-53-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-63-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-23-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-1181-0x00000000005A0000-0x00000000005EC000-memory.dmp

Filesize
304KB

Download
memory/2340-1180-0x0000000001170000-0x00000000011EC000-memory.dmp

Filesize
496KB

Download
memory/2340-1182-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-67-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-65-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-61-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-59-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-57-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-55-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-51-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-49-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-47-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-45-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-43-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-41-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-39-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-35-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-33-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-31-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-29-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-27-0x000000001C270000-0x000000001C374000-memory.dmp

Filesize
1.0MB

Download
memory/2340-1183-0x000007FEF4F13000-0x000007FEF4F14000-memory.dmp

Filesize
4KB

Download
memory/2340-1184-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-1185-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-1186-0x0000000000930000-0x0000000000984000-memory.dmp

Filesize
336KB

Download
memory/2340-1188-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-1189-0x000007FEF4F10000-0x000007FEF58FC000-memory.dmp

Filesize
9.9MB

Download
memory/4700-1190-0x0000000000060000-0x0000000000088000-memory.dmp

Filesize
160KB

Download
memory/4700-1191-0x000007FEF4523000-0x000007FEF4524000-memory.dmp

Filesize
4KB

Download
memory/4700-1192-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

Filesize
144KB

Download
memory/4700-1193-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-1194-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-1195-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-1196-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-1197-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-1198-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

Filesize
9.9MB

Download
memory/4700-1200-0x000007FEF4520000-0x000007FEF4F0C000-memory.dmp

Filesize
9.9MB

Download