snakekeylogger | 5e38e3d0a442ea94f31e31b53084f904ab45661dc50c9abec49c0a016dea64a4

General

Target

(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe
Size

768KB
MD5

519f9833658acf4cbfc0139b990f1411
SHA1

0067b543a25625c4ebe64e633fbc4a5fb927045d
SHA256

e61a3b81de7fce074598eb722f5d11e2ccd26032eadfc0d7f2170b03e02a2b79
SHA512

c498c9edb4b3f22970614c6402dfde64bc857c273199913f3c2adfa4882c8dc9e46af1d491fed0157705954f3f3593a69b0ee1b158b8460c93001533914b9802
SSDEEP

12288:HZKKsn3qGaNHEyC9/oR9gy5FHK7zUXbmiE+JKTNAOhPI5l1yt8jKOhTNMxst1bHH:HZKKUPp9AR95yAivxtwlwdgMxGp9

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
smtp.fireacoustics.com
Port:
587
Username:
[email protected]
Password:
_d:rzD~62Jxh
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/3028-13-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	checkip.dyndns.org
34	freegeoip.app
35	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4932 set thread context of 3028	4932	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3372	3028	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3028	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	MSBuild.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3028	4932	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe	91
PID 4932 wrote to memory of 3028	4932	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe	91
PID 4932 wrote to memory of 3028	4932	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe	91
PID 4932 wrote to memory of 3028	4932	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe	91
PID 4932 wrote to memory of 3028	4932	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe	91
PID 4932 wrote to memory of 3028	4932	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe	91
PID 4932 wrote to memory of 3028	4932	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe	91
PID 4932 wrote to memory of 3028	4932	(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe	91

C:\Users\Admin\AppData\Local\Temp\(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe
"C:\Users\Admin\AppData\Local\Temp\(RFQ) - ATTIQ - 10230-2413_TEMPORARY CONSTRUCTION FACILITIES.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1740
    3⤵
    - Program crash
    PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3028 -ip 3028
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3028-18-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3028-17-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3028-15-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4932-8-0x0000000005F10000-0x0000000005F26000-memory.dmp

Filesize
88KB

Download
memory/4932-11-0x0000000008A60000-0x0000000008AE8000-memory.dmp

Filesize
544KB

Download
memory/4932-6-0x0000000005AA0000-0x0000000005AF6000-memory.dmp

Filesize
344KB

Download
memory/4932-7-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4932-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/4932-9-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/4932-10-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4932-5-0x00000000058D0000-0x00000000058DA000-memory.dmp

Filesize
40KB

Download
memory/4932-12-0x000000000B1E0000-0x000000000B206000-memory.dmp

Filesize
152KB

Download
memory/4932-4-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/4932-16-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4932-3-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/4932-2-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/4932-1-0x0000000000E50000-0x0000000000F16000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing