Overview

overview

10

Static

static

telex SO#1...df.exe

windows7_x64

10

telex SO#1...df.exe

windows10_x64

10

Analysis

  • max time kernel
    49s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-07-2021 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    telex SO#1KSZ019769-pdf.exe

  • Size

    833KB

  • MD5

    e745b5bb83dcd7045e2f1e6396d7e074

  • SHA1

    dc415847e2a782d2f714da53bb5a8e2b18a67f1b

  • SHA256

    9cb2740a3219b5aaa8d26ca22bf7a2088d66f1e1c37420dfe8121e0c5f0df2b7

  • SHA512

    40708fde86f4332c705ce90553ad518f8bcc3fe56206ebd4af7020c8a5e6813f69bd294872d35921b234829105f5947de9a905bb15a531ba4b38d4c3ea1fce9f

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    25
  • Username:
    admin@evapimlogs.com
  • Password:
    BkKMmzZ1

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\telex SO#1KSZ019769-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\telex SO#1KSZ019769-pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\AppData\Local\Temp\telex SO#1KSZ019769-pdf.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1100
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/620-72-0x0000000000000000-mapping.dmp
    Download
  • memory/620-73-0x0000000000760000-0x0000000000761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-60-0x00000000008C0000-0x00000000008C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-62-0x0000000001DA0000-0x0000000001DEA000-memory.dmp
    Filesize

    296KB

    Download
  • memory/752-63-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-64-0x00000000003B0000-0x00000000003B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/752-65-0x0000000004D10000-0x0000000004D7D000-memory.dmp
    Filesize

    436KB

    Download
  • memory/752-66-0x0000000001F00000-0x0000000001F20000-memory.dmp
    Filesize

    128KB

    Download
  • memory/988-67-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/988-68-0x000000000041F89E-mapping.dmp
    Download
  • memory/988-69-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/988-71-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
    Filesize

    4KB

    Download