Threat Research

Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough – ANY.RUN’s Cybersecurity Blog

Securonix

Keypoints

  • The Snake Keylogger is a .NET infostealer discovered in 2020, also known as 404 Keylogger and 404KeyLogger, that steals credentials, clipboard data, keystrokes, and screenshots.
  • It exfiltrates collected data via FTP, SMTP, and Telegram, and gathers system info (hostname, username, IP, geolocation, time).
  • An email with a RAR attachment pago 4094.r09 containing pago 4094.exe demonstrates social engineering and phishing as the initial access vector.
  • Analysis reveals browser credential theft (Chrome/Edge) and persistence mechanisms, including dropping a tmp file for startup persistence.
  • Network activity includes connections to 158.101.44.242 and 208.91.199.255, with SMTP-based exfiltration and use of checkip.dyndns.org to obtain external IPs.
  • MITRE ATT&CK mapping covers Phishing, User Execution, Credentials from Password Stores, Unsecured Credentials, Registry/Discovery, and C2 via Application Layer Protocol (SMTP).

MITRE Techniques

  • [T1566] Phishing – Spearphishing Attachment – The phishing email entices the recipient to download and open the attachment via social engineering. ‘The phishing email … entices the recipient to download and open the attachment via social engineering’
  • [T1204] User Execution – Malicious File – The executable ‘pago 4094.exe’ was executed by double-clicking the Desktop icon. ‘In this case, “pago 4094.exe” was executed by double-clicking the Desktop icon.’
  • [T1555] Credentials from Password Stores – Credentials from Web Browsers – Process 3868 steals credentials from browsers such as Chrome, Opera, and Edge. ‘The malware … steals credentials from browsers and files’
  • [T1552] Unsecured Credentials – Credentials In Files – Includes access attempts to browser login data and other credential stores. ‘Unsecured Credentials: Credentials In Files’
  • [T1012] Query Registry – The attackers query the Windows Registry to gather information. ‘Query Registry’
  • [T1082] System Information Discovery – The malware collects system information (OS, hardware, etc.). ‘System Information Discovery’
  • [T1518] Software Discovery – Discovery of installed software and browser-related data. ‘Software Discovery’
  • [T1016] System Network Configuration Discovery – Discovery of network configuration settings and external IPs. ‘System Network Configuration Discovery’
  • [T1071] Application Layer Protocol – C2 over SMTP – Data exfiltration and C2 communications occur using SMTP (port 587). ‘Application Layer Protocol: Mail Protocols’

Indicators of Compromise

  • [IP] Destination IP – 158.101.44.242 (checkip.dyndns.org) for external IP checks
  • [IP] Destination IP – 208.91.199.255 (us2.smtp.mailhostbox.com) for SMTP exfiltration
  • [Domain] Domain – checkip.dyndns.org (IP checking service used by the malware)
  • [Domain] Domain – us2.smtp.mailhostbox.com (SMTP server used for data exfiltration)
  • [Hash] MD5 – 1A0F4CC0513F1B56FEF01C815410C6EA (pago 4094.exe)
  • [Hash] SHA1 – A663C9ECF8F488D6E07B892165AE0A3712B0E91F (pago 4094.exe)
  • [Hash] SHA256 – D483D48C15F797C92C89D2EAFCC9FC7CBE0C02CABE1D9130BB9069E8C897C94C (pago 4094.exe)
  • [Hash] MD5 – 60D00C17D3EA15910893EEF868DE7A65 (32b4f238-3516-…) eml
  • [Hash] SHA1 – 1D17DD1688A903CBE423D8DE58F8A7AB7ECE1EA5 (32b4f238-3516-…) eml
  • [File] File name – pago 4094.r09 (RAR archive)
  • [File] File name – pago 4094.exe
  • [File] File name – 32b4f238-3516-b261-c3ae-0c570d22ee18.eml

Read more: https://any.run/cybersecurity-blog/analyzing-snake-keylogger/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint