Overview

overview

10

Static

static

0009089000900.exe

windows7_x64

10

0009089000900.exe

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 09:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0009089000900.exe

  • Size

    879KB

  • MD5

    4551c0185df582b531e333d52333d6a9

  • SHA1

    c9c11adb1b6c8b00a3b5ebb39a1407f88e376e80

  • SHA256

    f8c6ac7a79dbbcdf8123c48bfa0d3e4917235f489fba0824c682781802f14fc2

  • SHA512

    b09baf8ac2820567712190893fe88c2659dc73323930e2dbec2847c303cae39d30f500bf82e68163c84ca5c0de919dfadfe0c8e48449db7d90252b2c9bde215a

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 2 IoCs
  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0009089000900.exe
    "C:\Users\Admin\AppData\Local\Temp\0009089000900.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\0009089000900.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:692
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
        PID:984
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:808

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/692-32-0x0000000008360000-0x0000000008361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-20-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-17-0x0000000007550000-0x0000000007551000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-40-0x0000000009360000-0x0000000009361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-18-0x00000000075F0000-0x00000000075F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-38-0x0000000009650000-0x0000000009651000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-19-0x0000000007F20000-0x0000000007F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-34-0x0000000008640000-0x0000000008641000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-31-0x00000000076E0000-0x00000000076E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-22-0x0000000004AF2000-0x0000000004AF3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-13-0x0000000000000000-mapping.dmp
      Download
    • memory/692-14-0x0000000073C50000-0x000000007433E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/692-15-0x0000000004B00000-0x0000000004B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-16-0x0000000007710000-0x0000000007711000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-42-0x0000000004AF3000-0x0000000004AF4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/692-39-0x00000000092F0000-0x00000000092F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-26-0x0000000073C50000-0x000000007433E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/808-25-0x00000000004643BE-mapping.dmp
      Download
    • memory/808-35-0x00000000068B0000-0x00000000068B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-33-0x0000000005970000-0x0000000005971000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-24-0x0000000000400000-0x000000000046A000-memory.dmp
      Filesize

      424KB

      Download
    • memory/1304-11-0x0000000005B50000-0x0000000005B51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1304-3-0x0000000000F00000-0x0000000000F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1304-9-0x0000000008EB0000-0x0000000008EB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1304-2-0x0000000073C50000-0x000000007433E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1304-23-0x0000000005DB0000-0x0000000005DBF000-memory.dmp
      Filesize

      60KB

      Download
    • memory/1304-10-0x00000000092A0000-0x00000000092A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1304-12-0x0000000005B53000-0x0000000005B55000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1304-8-0x0000000008E10000-0x0000000008EA1000-memory.dmp
      Filesize

      580KB

      Download
    • memory/1304-7-0x0000000005980000-0x0000000005981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1304-6-0x00000000058D0000-0x00000000058D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1304-5-0x0000000005DD0000-0x0000000005DD1000-memory.dmp
      Filesize

      4KB

      Download