snakekeylogger | 63720cee53de8a33b4f221bbb0950e09d8eb5652beda60f99ed98165ebc447e2

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 17:05

Target

CTM BREAKDOWN.exe
Size

537KB
MD5

3e97c23c4c1c6f721c910c08e25a60cc
SHA1

d92304392377198b3b3cd95aa8de1572d75d7fb8
SHA256

4e2186d44f67e0ebc4ee9ecd68191b31849604930dd5babe6106e1e191b7874c
SHA512

6a2007d1a0660bb53f4a191b662241b8242e5e2e3ab6e220735da068cb69a6259465d2f5b5e533bdf3f4b36a7fde5edd75c4962afbb43edd8e39f151e2b3dbb5
SSDEEP

12288:/sdrEx695u8R6GfeZPrTxegfLiAUR0Jv/v+HLuSn:0drEsTu8kGfeZzTxegfmlUv/CLB

Score

10^/10

Family

snakekeylogger

Credentials

http://103.130.147.85

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Snake Keylogger payload 1 IoCs

Processes:

resource yara_rule

behavioral4/memory/2812-9-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

CTM BREAKDOWN.exe

description pid process target process

PID 4032 set thread context of 2812 4032 CTM BREAKDOWN.exe CTM BREAKDOWN.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5104 2812 WerFault.exe CTM BREAKDOWN.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

CTM BREAKDOWN.exe

pid process

2812 CTM BREAKDOWN.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CTM BREAKDOWN.exe

description pid process

Token: SeDebugPrivilege 2812 CTM BREAKDOWN.exe

resource	yara_rule
behavioral4/memory/2812-9-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

flow	ioc
3	checkip.dyndns.org

description	pid	process	target process
PID 4032 set thread context of 2812	4032	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe

pid	pid_target	process	target process
5104	2812	WerFault.exe	CTM BREAKDOWN.exe

pid	process
2812	CTM BREAKDOWN.exe

description	pid	process
Token: SeDebugPrivilege	2812	CTM BREAKDOWN.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

CTM BREAKDOWN.exe

description	pid	process	target process
PID 4032 wrote to memory of 2812	4032	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 4032 wrote to memory of 2812	4032	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 4032 wrote to memory of 2812	4032	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 4032 wrote to memory of 2812	4032	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 4032 wrote to memory of 2812	4032	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 4032 wrote to memory of 2812	4032	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 4032 wrote to memory of 2812	4032	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe
PID 4032 wrote to memory of 2812	4032	CTM BREAKDOWN.exe	CTM BREAKDOWN.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1448
3⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2812 -ip 2812
1⤵
PID:752

memory/2812-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2812-14-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2812-11-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/2812-10-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4032-3-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/4032-5-0x00000000053C0000-0x00000000053CA000-memory.dmp

Filesize
40KB

Download
memory/4032-6-0x00000000053D0000-0x0000000005424000-memory.dmp

Filesize
336KB

Download
memory/4032-7-0x0000000005500000-0x000000000559C000-memory.dmp

Filesize
624KB

Download
memory/4032-8-0x0000000005450000-0x0000000005458000-memory.dmp

Filesize
32KB

Download
memory/4032-4-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4032-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/4032-2-0x0000000005750000-0x0000000005CF4000-memory.dmp

Filesize
5.6MB

Download
memory/4032-13-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/4032-1-0x0000000000710000-0x000000000079C000-memory.dmp

Filesize
560KB

Download