snakekeylogger | aaf8861d86cdf5016425fcfa112e8e76126ff41008d69ad6f149b4ca9d6ba67d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe
Size

880KB
MD5

d2f01bfba149898d86d9f9b1344c871c
SHA1

7002ec5c910a1883fd5c56aecf17c8182a175acb
SHA256

63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b
SHA512

9607a66aa1f572504fa68ca6464cde5763c13e72ff66e1cb94bc8f1e8d4e6765390371664b18cfadc6954b21c711ac9f05c95dd6c38945d6f9ed2ce653237254
SSDEEP

12288:bEfVhpe/ijKZVn6fYpoW0eJRWmoaoTxAKScque4RJjBQ+60NAIJxT6t4kR:bEfVyijKZV6g+VeJRLVoTx4z/4RY6gv

Score

10^/10

snakekeylogger discovery execution keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot7692220058:AAHVndQO9RuaWbiX3k3pjx15TMCoeBS0WKU/sendMessage?chat_id=7342994424

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

resource	yara_rule
behavioral1/memory/2804-20-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2804-18-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2804-23-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2804-26-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2804-24-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	checkip.dyndns.org
8	reallyfreegeoip.org
9	reallyfreegeoip.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 840 set thread context of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe
840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe
2804	vbc.exe
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe
Token: SeDebugPrivilege	2804	vbc.exe
Token: SeDebugPrivilege	2748	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2748	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	31
PID 840 wrote to memory of 2748	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	31
PID 840 wrote to memory of 2748	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	31
PID 840 wrote to memory of 2748	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	31
PID 840 wrote to memory of 2820	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	32
PID 840 wrote to memory of 2820	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	32
PID 840 wrote to memory of 2820	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	32
PID 840 wrote to memory of 2820	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	32
PID 840 wrote to memory of 2488	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	35
PID 840 wrote to memory of 2488	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	35
PID 840 wrote to memory of 2488	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	35
PID 840 wrote to memory of 2488	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	35
PID 840 wrote to memory of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36
PID 840 wrote to memory of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36
PID 840 wrote to memory of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36
PID 840 wrote to memory of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36
PID 840 wrote to memory of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36
PID 840 wrote to memory of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36
PID 840 wrote to memory of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36
PID 840 wrote to memory of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36
PID 840 wrote to memory of 2804	840	63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe	36
PID 2804 wrote to memory of 2448	2804	vbc.exe	38
PID 2804 wrote to memory of 2448	2804	vbc.exe	38
PID 2804 wrote to memory of 2448	2804	vbc.exe	38
PID 2804 wrote to memory of 2448	2804	vbc.exe	38
PID 2448 wrote to memory of 1908	2448	cmd.exe	40
PID 2448 wrote to memory of 1908	2448	cmd.exe	40
PID 2448 wrote to memory of 1908	2448	cmd.exe	40
PID 2448 wrote to memory of 1908	2448	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe
"C:\Users\Admin\AppData\Local\Temp\63e970412f2465ea620ac5a86a78584366a531b7c74f1755e8b3bab4a653c65b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jdSHzBih.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdSHzBih" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB58.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEB58.tmp

Filesize
1KB

MD5
b24ad5c3ca50346465e6e1bba0354141

SHA1
1ef0c9290e854cba747746626f8fe38f0b8bef94

SHA256
2cb8a042a7b12d5ca1724b74dfef17136d2725742670e9d84fdbca8177df8b49

SHA512
cd6af04cc3a7ba8f1eb05d247eb0ccdc17072607159e9c39049ea7289ae34cbffb910f0eb675a029dd08e8c08b3ed431cbd92d826d53b9b06c7757f4322afdd3

Download Submit
memory/840-27-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/840-1-0x0000000000C00000-0x0000000000CDE000-memory.dmp

Filesize
888KB

Download
memory/840-2-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/840-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/840-4-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/840-5-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/840-6-0x0000000000690000-0x00000000006F8000-memory.dmp

Filesize
416KB

Download
memory/840-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/2804-20-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2804-17-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2804-14-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2804-23-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2804-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2804-26-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2804-24-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2804-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download