snakekeylogger | 539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
Size

2.1MB
MD5

022dbaa1df24d488b03ecb058a521613
SHA1

9f12948c741b6b27cce58d4cd804a2f988feddf2
SHA256

539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8
SHA512

1d23c5d6a8b384e2c746865da221a14d6cb7f9260597c4785ae527798e9215027bbc089b5214389ff2bbae180ba6cbec547df6c5d901ff6a56d2fb4909e50880
SSDEEP

49152:0l328U2yfZrnJhlp9tHfYoEaTSiz23THT3WSMpDgF/qB0Rj6KIeVSc/zui:a30DfJJhX/LEQkF/qBk6K2c/ii

Score

10^/10

snakekeylogger discovery keylogger stealer upx

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot1628099890:AAEoyPqXzUZV0NK78yRGbDMLJqRw0vcASbg/sendMessage?chat_id=1217600190

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 4 IoCs

resource	yara_rule
behavioral1/memory/2944-43-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger
behavioral1/memory/2944-44-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger
behavioral1/memory/2944-51-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger
behavioral1/memory/2944-48-0x0000000000090000-0x00000000000B6000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\caulds.vbs	caulds.exe

Executes dropped EXE 4 IoCs

pid	Process
2456	EmbeddedExe1.exe
2312	EmbeddedExe2.exe
1176	Process not Found
2844	caulds.exe

Loads dropped DLL 3 IoCs

pid	Process
848	539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
848	539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
2456	EmbeddedExe1.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	reallyfreegeoip.org
9	reallyfreegeoip.org

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2844-33-0x0000000000930000-0x0000000000A6E000-memory.dmp	autoit_exe
behavioral1/memory/2456-30-0x0000000000FA0000-0x00000000010DE000-memory.dmp	autoit_exe
behavioral1/memory/2844-53-0x0000000000930000-0x0000000000A6E000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 2944	2844	caulds.exe	34

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000012117-6.dat	upx
behavioral1/memory/2456-8-0x0000000000FA0000-0x00000000010DE000-memory.dmp	upx
behavioral1/memory/2844-33-0x0000000000930000-0x0000000000A6E000-memory.dmp	upx
behavioral1/memory/2456-30-0x0000000000FA0000-0x00000000010DE000-memory.dmp	upx
behavioral1/memory/2844-53-0x0000000000930000-0x0000000000A6E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EmbeddedExe1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caulds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2944	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2312	EmbeddedExe2.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2844	caulds.exe
2844	caulds.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2456	EmbeddedExe1.exe
2456	EmbeddedExe1.exe
2844	caulds.exe
2844	caulds.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2456	EmbeddedExe1.exe
2456	EmbeddedExe1.exe
2844	caulds.exe
2844	caulds.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2456	848	539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe	31
PID 848 wrote to memory of 2456	848	539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe	31
PID 848 wrote to memory of 2456	848	539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe	31
PID 848 wrote to memory of 2456	848	539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe	31
PID 848 wrote to memory of 2312	848	539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe	32
PID 848 wrote to memory of 2312	848	539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe	32
PID 848 wrote to memory of 2312	848	539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe	32
PID 2456 wrote to memory of 2844	2456	EmbeddedExe1.exe	33
PID 2456 wrote to memory of 2844	2456	EmbeddedExe1.exe	33
PID 2456 wrote to memory of 2844	2456	EmbeddedExe1.exe	33
PID 2456 wrote to memory of 2844	2456	EmbeddedExe1.exe	33
PID 2844 wrote to memory of 2944	2844	caulds.exe	34
PID 2844 wrote to memory of 2944	2844	caulds.exe	34
PID 2844 wrote to memory of 2944	2844	caulds.exe	34
PID 2844 wrote to memory of 2944	2844	caulds.exe	34
PID 2844 wrote to memory of 2944	2844	caulds.exe	34
PID 2844 wrote to memory of 2944	2844	caulds.exe	34
PID 2844 wrote to memory of 2944	2844	caulds.exe	34
PID 2844 wrote to memory of 2944	2844	caulds.exe	34
PID 2944 wrote to memory of 2680	2944	RegSvcs.exe	36
PID 2944 wrote to memory of 2680	2944	RegSvcs.exe	36
PID 2944 wrote to memory of 2680	2944	RegSvcs.exe	36
PID 2944 wrote to memory of 2680	2944	RegSvcs.exe	36
PID 2680 wrote to memory of 3052	2680	cmd.exe	38
PID 2680 wrote to memory of 3052	2680	cmd.exe	38
PID 2680 wrote to memory of 3052	2680	cmd.exe	38
PID 2680 wrote to memory of 3052	2680	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe
"C:\Users\Admin\AppData\Local\Temp\539ee7af02fcbd28659831dd774581f76ee66ca6238d12af286158f2f343f3b8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\EmbeddedExe1.exe
  "C:\Users\Admin\AppData\Local\Temp\EmbeddedExe1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\poufs\caulds.exe
    "C:\Users\Admin\AppData\Local\Temp\EmbeddedExe1.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\EmbeddedExe1.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
- C:\Users\Admin\AppData\Local\Temp\EmbeddedExe2.exe
  "C:\Users\Admin\AppData\Local\Temp\EmbeddedExe2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EmbeddedExe1.exe

Filesize
545KB

MD5
47310e2d76477f79641f8703027a60b0

SHA1
bba7157bfab11d11b6912cb0012e117de61d175a

SHA256
54f08d458c3a9b5b6553e6bc6810fd9071d7bc2a517576d4dcc45b1ca0a47d1f

SHA512
ccf55e9915002e828feec50c58ec1ccac378c0b1a1e081e5b2e542457ff4a2866aebaeeeb40bfe6188938b4e1dc0bc1c770e33a012752d28429f8b14ed7fb7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EmbeddedExe2.exe

Filesize
1.6MB

MD5
5efef6cc9cd24baeeed71c1107fc32df

SHA1
3cfc9764083154f682a38831c8229e3e29cbe3ef

SHA256
e61b8f44ab92cf0f9cb1101347967d31e1839979142a4114a7dd02aa237ba021

SHA512
cecd98f0e238d7387b44838251b795bb95e85ec8d35242fc24532ba21929759685205133923268bf8bc0e2ded37db7d88ecbe2b692d2be6f09c6d92a57d1fdac

Download Submit
memory/848-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

Filesize
4KB

Download
memory/848-1-0x0000000000180000-0x00000000003A6000-memory.dmp

Filesize
2.1MB

Download
memory/2456-30-0x0000000000FA0000-0x00000000010DE000-memory.dmp

Filesize
1.2MB

Download
memory/2456-31-0x0000000002AC0000-0x0000000002BFE000-memory.dmp

Filesize
1.2MB

Download
memory/2456-24-0x00000000007F0000-0x0000000000BF0000-memory.dmp

Filesize
4.0MB

Download
memory/2456-8-0x0000000000FA0000-0x00000000010DE000-memory.dmp

Filesize
1.2MB

Download
memory/2456-54-0x0000000002AC0000-0x0000000002BFE000-memory.dmp

Filesize
1.2MB

Download
memory/2844-33-0x0000000000930000-0x0000000000A6E000-memory.dmp

Filesize
1.2MB

Download
memory/2844-53-0x0000000000930000-0x0000000000A6E000-memory.dmp

Filesize
1.2MB

Download
memory/2944-43-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2944-44-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2944-51-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download
memory/2944-48-0x0000000000090000-0x00000000000B6000-memory.dmp

Filesize
152KB

Download