Malware Analysis Report

2024-10-19 08:25

Sample ID 220521-bwjxaaceg7
Target 38a71942dc5220e5b0deeb6926022d40f43ba1123ec2f3ac24aba7b40d662a12
SHA256 38a71942dc5220e5b0deeb6926022d40f43ba1123ec2f3ac24aba7b40d662a12
Tags
snakebot snakebot collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38a71942dc5220e5b0deeb6926022d40f43ba1123ec2f3ac24aba7b40d662a12

Threat Level: Known bad

The file 38a71942dc5220e5b0deeb6926022d40f43ba1123ec2f3ac24aba7b40d662a12 was found to be: Known bad.

Malicious Activity Summary

snakebot snakebot collection spyware stealer

Snakebot family

Contains SnakeBOT related strings

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Enumerates physical storage devices

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:29

Signatures

Snakebot family

snakebot

Contains SnakeBOT related strings

snakebot
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:29

Reported

2022-05-21 02:18

Platform

win7-20220414-en

Max time kernel

95s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe

"C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com.br udp
NL 142.250.179.131:443 www.google.com.br tcp
US 8.8.8.8:53 consent.google.com.br udp
NL 142.251.39.110:443 consent.google.com.br tcp

Files

memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

memory/1808-55-0x0000000073F50000-0x00000000744FB000-memory.dmp

memory/1808-56-0x0000000000A29000-0x0000000000A3A000-memory.dmp

memory/1988-57-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:29

Reported

2022-05-21 02:18

Platform

win10v2004-20220414-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe"

Signatures

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2832 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe C:\Windows\SysWOW64\netsh.exe
PID 2832 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe

"C:\Users\Admin\AppData\Local\Temp\purchase enquiry.exe"

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

Network

Country Destination Domain Proto
US 67.26.209.254:80 tcp
US 8.252.118.254:80 tcp
US 8.8.8.8:53 www.google.com.br udp
NL 142.250.179.131:443 www.google.com.br tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
IE 20.54.89.106:443 tcp
NL 52.178.17.2:443 tcp
US 93.184.220.29:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp

Files

memory/2832-130-0x00000000750A0000-0x0000000075651000-memory.dmp

memory/5064-131-0x0000000000000000-mapping.dmp

memory/2832-132-0x00000000014FA000-0x00000000014FF000-memory.dmp