Malware Analysis Report

2024-10-19 08:25

Sample ID 220521-bmbvbafbbm
Target eca3684f68d645ee6e591345e53f514f15e88c2de59248a9c95895b56b24ff46
SHA256 eca3684f68d645ee6e591345e53f514f15e88c2de59248a9c95895b56b24ff46
Tags
collection spyware stealer snakebot snakebot
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eca3684f68d645ee6e591345e53f514f15e88c2de59248a9c95895b56b24ff46

Threat Level: Known bad

The file eca3684f68d645ee6e591345e53f514f15e88c2de59248a9c95895b56b24ff46 was found to be: Known bad.

Malicious Activity Summary

collection spyware stealer snakebot snakebot

Snakebot family

Contains SnakeBOT related strings

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:15

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:15

Reported

2022-05-21 01:43

Platform

win10v2004-20220414-en

Max time kernel

123s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Products.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\Products.exe C:\Windows\SysWOW64\netsh.exe
PID 2944 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\Products.exe C:\Windows\SysWOW64\netsh.exe
PID 2944 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\Products.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Products.exe

"C:\Users\Admin\AppData\Local\Temp\Products.exe"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com.br udp
NL 142.250.179.131:443 www.google.com.br tcp
US 8.8.8.8:53 consent.google.com.br udp
NL 142.251.39.110:443 consent.google.com.br tcp
NL 104.97.14.81:80 tcp
IE 20.54.110.249:443 tcp
US 8.8.8.8:53 us2.smtp.mailhostbox.com udp
US 208.91.198.46:587 us2.smtp.mailhostbox.com tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp

Files

memory/2944-130-0x0000000074BC0000-0x0000000075171000-memory.dmp

memory/1000-131-0x0000000000000000-mapping.dmp

memory/2944-132-0x000000000192A000-0x000000000192F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:15

Reported

2022-05-21 01:44

Platform

win7-20220414-en

Max time kernel

98s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Products.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Products.exe C:\Windows\SysWOW64\netsh.exe
PID 1544 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Products.exe C:\Windows\SysWOW64\netsh.exe
PID 1544 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Products.exe C:\Windows\SysWOW64\netsh.exe
PID 1544 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\Products.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Products.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Products.exe

"C:\Users\Admin\AppData\Local\Temp\Products.exe"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com.br udp
NL 142.250.179.131:443 www.google.com.br tcp

Files

memory/1544-54-0x0000000075721000-0x0000000075723000-memory.dmp

memory/1544-55-0x00000000744D0000-0x0000000074A7B000-memory.dmp

memory/1544-56-0x00000000021A9000-0x00000000021BA000-memory.dmp

memory/632-57-0x0000000000000000-mapping.dmp