snakekeylogger | be95c3b8c727bf769a9ef892c42ff2a3ed9fe764d3297f3214e715e243c69995

General

Target

BANK INFORMATION.exe
Size

780KB
MD5

210f37c353be6b2739eaba795cd9b65a
SHA1

20bc7ff1b8e44e954290cd243d5f4eecb165b52a
SHA256

46ace3d6e4ad85d164526928dfc1827743f1f9caa7b46d342e211b807afaf55a
SHA512

ab96d81281aa8f09d86df31dd1bf900097e26778c6e3a557e746478fbc1fd3b0968aa0ea5891ff9f25abec373db9f6becf48edefa936abe7f0f06215b1bda2cd
SSDEEP

12288:R6rKqn3qGaNHEyC9/oR9gy5FHK7z9LQ5rMsYPCy+CobTDcQLiKE3dcF+P5FXpucl:RuKKPp9AR95yZAMszyiTDVWKE3zPX

Score

10^/10

snakekeylogger discovery keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
25
Username:
[email protected]
Password:
BkKMmzZ1
Email To:
[email protected]

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2708-14-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2708-18-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2708-16-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2708-11-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral1/memory/2708-10-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	freegeoip.app
9	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 2708	2492	BANK INFORMATION.exe	31

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2612	2708	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BANK INFORMATION.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BANK INFORMATION.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2708	BANK INFORMATION.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	BANK INFORMATION.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2708	2492	BANK INFORMATION.exe	31
PID 2492 wrote to memory of 2708	2492	BANK INFORMATION.exe	31
PID 2492 wrote to memory of 2708	2492	BANK INFORMATION.exe	31
PID 2492 wrote to memory of 2708	2492	BANK INFORMATION.exe	31
PID 2492 wrote to memory of 2708	2492	BANK INFORMATION.exe	31
PID 2492 wrote to memory of 2708	2492	BANK INFORMATION.exe	31
PID 2492 wrote to memory of 2708	2492	BANK INFORMATION.exe	31
PID 2492 wrote to memory of 2708	2492	BANK INFORMATION.exe	31
PID 2492 wrote to memory of 2708	2492	BANK INFORMATION.exe	31
PID 2708 wrote to memory of 2612	2708	BANK INFORMATION.exe	32
PID 2708 wrote to memory of 2612	2708	BANK INFORMATION.exe	32
PID 2708 wrote to memory of 2612	2708	BANK INFORMATION.exe	32
PID 2708 wrote to memory of 2612	2708	BANK INFORMATION.exe	32

C:\Users\Admin\AppData\Local\Temp\BANK INFORMATION.exe
"C:\Users\Admin\AppData\Local\Temp\BANK INFORMATION.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\BANK INFORMATION.exe
  "C:\Users\Admin\AppData\Local\Temp\BANK INFORMATION.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1572
    3⤵
    - Program crash
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-0-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/2492-1-0x00000000009F0000-0x0000000000AB8000-memory.dmp

Filesize
800KB

Download
memory/2492-2-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-3-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/2492-4-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/2492-5-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-6-0x0000000007EC0000-0x0000000007F4C000-memory.dmp

Filesize
560KB

Download
memory/2492-7-0x0000000002020000-0x0000000002044000-memory.dmp

Filesize
144KB

Download
memory/2492-20-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-18-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-19-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-9-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-21-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-22-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-23-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing