Snake Keylogger
---------------------------------------------------
date: 5/5/2021
delivery: Unknown
persistence: scheduled Task, \Updates\SPjSKjh, c:\users\<userid>\appdata\roaming\spjskih.exe
capabilities (per memory strings): Keylogger (KeyDown, KeyboardState, StartKeyLogger), Credential Theft (UCBrowser, Vivaldi, Thunderbird, etc.)
c2s: unknown
identification method: filname similar to previous (vbc.exe) and other patterns match like re-launch EXE after 1min45sec, smtp type c2 possible, etc.
special notes: .net executable, starts execution at about ~14 to 15mb initially, waits about 1 min 45 seconds, then relaunched itself, new pid, 2nd executable waits several minutes to do anything, then checks for credentials (chrome, qqbrowser, ultravnc, thunderbird, waterfox, etc.) through disk and registry, in memory strings on 2nd end up including the credential theft, also this appears to be "Agent Tesla" per all the other indicators I have, as well as API.Telegram.org connections and possible SMTP c2 with email address, so I think this is some kind of Agent Tesla/Snake Keylogger hybrid
samples:
EXE - https://www.virustotal.com/gui/file/089d065fe8e39f8b19a726cb15ac216e352a5576f446c5fc38486f1fbb7a1d9c/detection
links:
https://twitter.com/neonprimetime/status/1389964247942279168
screenshots:
---------------------------------------------------
