snakekeylogger | 61abb5aa05411cf92a1d762864cc824d594ffdd2dad4c2ca7f1c2f0c30e2a786

Analysis

max time kernel
97s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zamwienia31012025DJZK25010325_pdf.scr
Size

30KB
MD5

08bb8be80a2856a077319f59990154a9
SHA1

373db0eedecdd0bb8e3e2457f4390e3a363e1ad6
SHA256

61abb5aa05411cf92a1d762864cc824d594ffdd2dad4c2ca7f1c2f0c30e2a786
SHA512

b11f003396781bc595c3a7eed18fd3322d23b0bdfc97450d8990060c6f49877d9e7b2e17beaa21a3bf4229d037043985a68962f79192b76ae41f5305b06bf37b
SSDEEP

768:F8tDJhV6NTXJabo47/5xxwHBfKuL7BykI8:F8tDJhVKjJabog5/SXBykb

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

https://api.telegram.org/bot8018149517:AAGK_JH2rbFUhupxezqUln9lvYu9km5btWY/sendMessage?chat_id=7250529719

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral2/memory/1188-1346-0x0000000140000000-0x0000000140024000-memory.dmp	family_snakekeylogger

Snakekeylogger family
snakekeylogger

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4856 created 3428	4856	zamwienia31012025DJZK25010325_pdf.scr	56

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4856 set thread context of 1188	4856	zamwienia31012025DJZK25010325_pdf.scr	89

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4856	zamwienia31012025DJZK25010325_pdf.scr
4856	zamwienia31012025DJZK25010325_pdf.scr
4856	zamwienia31012025DJZK25010325_pdf.scr
1188	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4856	zamwienia31012025DJZK25010325_pdf.scr
Token: SeDebugPrivilege	4856	zamwienia31012025DJZK25010325_pdf.scr
Token: SeDebugPrivilege	1188	InstallUtil.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1188	4856	zamwienia31012025DJZK25010325_pdf.scr	89
PID 4856 wrote to memory of 1188	4856	zamwienia31012025DJZK25010325_pdf.scr	89
PID 4856 wrote to memory of 1188	4856	zamwienia31012025DJZK25010325_pdf.scr	89
PID 4856 wrote to memory of 1188	4856	zamwienia31012025DJZK25010325_pdf.scr	89
PID 4856 wrote to memory of 1188	4856	zamwienia31012025DJZK25010325_pdf.scr	89
PID 4856 wrote to memory of 1188	4856	zamwienia31012025DJZK25010325_pdf.scr	89

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\zamwienia31012025DJZK25010325_pdf.scr
  "C:\Users\Admin\AppData\Local\Temp\zamwienia31012025DJZK25010325_pdf.scr" /S
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4856
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-1346-0x0000000140000000-0x0000000140024000-memory.dmp

Filesize
144KB

Download
memory/1188-1347-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/1188-1348-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/1188-1349-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1-0x00000233DE170000-0x00000233DE17A000-memory.dmp

Filesize
40KB

Download
memory/4856-0-0x00007FFA73F03000-0x00007FFA73F05000-memory.dmp

Filesize
8KB

Download
memory/4856-2-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-3-0x00000233F8820000-0x00000233F8928000-memory.dmp

Filesize
1.0MB

Download
memory/4856-23-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-7-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-5-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-4-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-35-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-67-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-65-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-61-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-59-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-57-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-55-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-53-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-51-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-49-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-47-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-45-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-43-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-41-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-39-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-33-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-31-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-29-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-27-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-25-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-21-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-19-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-17-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-15-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-13-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-11-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-9-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-63-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-37-0x00000233F8820000-0x00000233F8922000-memory.dmp

Filesize
1.0MB

Download
memory/4856-1326-0x00007FFA73F03000-0x00007FFA73F05000-memory.dmp

Filesize
8KB

Download
memory/4856-1327-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1328-0x00000233F8930000-0x00000233F8992000-memory.dmp

Filesize
392KB

Download
memory/4856-1329-0x00000233F8990000-0x00000233F89F0000-memory.dmp

Filesize
384KB

Download
memory/4856-1331-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1330-0x00000233F8A60000-0x00000233F8AAC000-memory.dmp

Filesize
304KB

Download
memory/4856-1332-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1333-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1334-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1335-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1336-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1337-0x00000233F9B60000-0x00000233F9BB4000-memory.dmp

Filesize
336KB

Download
memory/4856-1342-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1345-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-1344-0x00007FFA73F00000-0x00007FFA749C1000-memory.dmp

Filesize
10.8MB

Download