snakekeylogger | 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 01:42

Target

82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe
Size

1015KB
MD5

9b36f1a92adf3c03c596bdda4e8ba903
SHA1

a0bc8f5b57813ad72b2d95c87ce42b1abd0a4f41
SHA256

82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375
SHA512

3351c0da097559464081be12a9e44892374b914e62e07f987b514d499d8e03a80b4c509d9d26e34051ffc2bf0917dc0a635f0864182cd7b8a6ccf247bec43f92
SSDEEP

24576:3qDEvCTbMWu7rQYlBQcBiT6rprG8aL5DLN:3TvC/MTQYxsWR7aL5P

Score

10^/10

Family

snakekeylogger

Credentials

https://scratchdreams.tk

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2492-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2492-15-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral1/memory/2492-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe

description pid process target process

PID 2228 set thread context of 2492 2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2272 2492 WerFault.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegSvcs.exe

pid process

2492 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe

pid process

2228 82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2492 RegSvcs.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 2228 set thread context of 2492	2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe	RegSvcs.exe

pid	pid_target	process	target process
2272	2492	WerFault.exe	RegSvcs.exe

pid	process
2492	RegSvcs.exe

pid	process
2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe

description	pid	process
Token: SeDebugPrivilege	2492	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exeRegSvcs.exe

description	pid	process	target process
PID 2228 wrote to memory of 2492	2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe	RegSvcs.exe
PID 2228 wrote to memory of 2492	2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe	RegSvcs.exe
PID 2228 wrote to memory of 2492	2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe	RegSvcs.exe
PID 2228 wrote to memory of 2492	2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe	RegSvcs.exe
PID 2228 wrote to memory of 2492	2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe	RegSvcs.exe
PID 2228 wrote to memory of 2492	2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe	RegSvcs.exe
PID 2228 wrote to memory of 2492	2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe	RegSvcs.exe
PID 2228 wrote to memory of 2492	2228	82a691d0d2c89557642dc0fc22bc2edd02461c64f2b21fd225f2993d4350b375.exe	RegSvcs.exe
PID 2492 wrote to memory of 2272	2492	RegSvcs.exe	WerFault.exe
PID 2492 wrote to memory of 2272	2492	RegSvcs.exe	WerFault.exe
PID 2492 wrote to memory of 2272	2492	RegSvcs.exe	WerFault.exe
PID 2492 wrote to memory of 2272	2492	RegSvcs.exe	WerFault.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 1048
3⤵
- Program crash
PID:2272

memory/2228-10-0x00000000001D0000-0x00000000001D4000-memory.dmp

Filesize
16KB

Download
memory/2492-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2492-15-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2492-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2492-16-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2492-17-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2492-18-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2492-19-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download