Keypoints
- Initial sample (Kqjvk.exe) is a .NET stager disguised as a PDF that downloads and AES-decrypts a second-stage payload.
- Second-stage is an obfuscated .NET DLL requiring dynamic execution to reveal its unpacking behavior.
- During runtime the malware spawns RegAsm.exe, creates a file mapping and an RWX region, indicating process injection and in-memory payload execution.
- The final dumped module is a Snake Keylogger .NET assembly, deobfuscated with de4dot to reveal keylogger, clipboard hijack, and browser-data theft functionality.
- Configuration strings use AES and DES encryption (some with unique keys); a Telegram bot token and chat ID were recovered for C2/exfiltration.
- IOCs recovered include IPs, dynamic DNS URLs, filenames, and SHA256 hashes for the initial, second-stage, and final payloads.
MITRE Techniques
- [T1055] Process Injection – Malware executes its payload by spawning a legitimate process (RegAsm.exe) and creating a file mapping of RegAsm.exe, implying code injection (‘a new process RegAsm.exe is spawned’ / ‘creating a file mapping of RegAsm.exe, so there is likely some injection going on’).
- [T1022] Data Encrypted – Configuration and strings are protected with symmetric encryption methods; the sample uses AES for stage decryption and DES for config fields (‘The payload is then decrypted via AES with a hardcoded key’ / ‘many of the config variables are DES encrypted’).
- [T1071] Command and Control – Exfiltration and C2 are performed over the Telegram API using an embedded bot token and chat ID (‘The malware sends data via the Telegram API’ / ‘communicates with the threat actor’s Telegram bot’).
- [T1003] Credential Dumping – The final payload collects sensitive input and application data by logging keystrokes and stealing from browsers and other programs (‘can log keystrokes and steal data from all kinds of browsers or other programs’).
Indicators of Compromise
- [Telegram username] bot/operator identifiers – DopeLord, DopeLordbot (actor and bot names)
- [Telegram IDs] chat and bot IDs – 6750192797 (chat ID), 7371892501 (bot ID)
- [Telegram bot token] C2 token – 7371892501:AAE6c_q-yLsVj82ZZEmMuRlQtTm95MBjCz0
- [IP address] network callback – 51.38.247.67 (observed in HTTP callback URL)
- [URLs] payload/download and C2 endpoints – hxxps://geocs.mx/wp-includes/Ngggmyrptpi.pdf, hxxp://51[.]38[.]247[.]67:8081/_send_.php?L, and 3 more URLs
- [Filenames] sample staging and final names – Kqjvk.exe (initial stager), Remington.exe (dumped final payload)
- [Hashes (SHA256)] known samples – 71ce2b…6581 (initial Kqjvk.exe), 12a0a5…8eb1 (second-stage DLL), and 1 more hash
The sample (Kqjvk.exe) is a .NET stager that masquerades as a PDF and fetches a remote “pdf” which contains an AES-encrypted second stage; the AES key/IV are hardcoded and the article provides a PowerShell AESDecrypt routine to reproduce the decryption. The decrypted second-stage is an obfuscated .NET DLL; static inspection showed empty methods that only resolve at runtime, so the analyst executed the sample in a sandbox to observe dynamic behavior rather than fully rely on static decompilation.
During execution the stager spawns RegAsm.exe (legitimate Microsoft executable) as a child process and creates a file mapping and an RWX memory section within that process, indicating code injection. The analyst dumped the in-memory module (named “Remington” in the loaded assemblies), used pe_unmapper to extract the unpacked .NET assembly, and applied de4dot to deobfuscate Unicode/obfuscated identifiers and strings, exposing Snake Keylogger functionality (keystroke logging, clipboard hijack, browser data theft).
Configuration analysis showed a mix of AES- and DES-encrypted strings (some with unique keys), and recovered C2 data including a Telegram bot token, chat ID, and several dynamic-DNS URLs/IPs. The write-up includes PowerShell routines for AES and DES decryption and provides extracted IOCs (file hashes, filenames, URLs, Telegram identifiers) to aid detection and hunting.
Read more: https://eversinc33.com/posts/unpacking-snake-keylogger.html