Analysis
-
max time kernel
58s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
06-08-2022 07:05
Static task
static1
Behavioral task
behavioral1
Sample
confirmations.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
confirmations.exe
Resource
win10v2004-20220721-en
General
-
Target
confirmations.exe
-
Size
712KB
-
MD5
4ab1f4f9bdadbdb865bbc24c5139ee5b
-
SHA1
fa1291a26d6716f709c7526b6033bc0dbe49c016
-
SHA256
8c8d32ce1daf82a1e2864bdf0d86bd17ba7e2282dd549a826242181ef04b9183
-
SHA512
f85f64e326b2be36271189e50ea6eed10cabc0776a646e3f8b3ab5ae0b8a00e96e1c498218e80b88c13ffff75d52aaf4054d14c9095b42becebb33affdceba8b
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5438794068:AAGoE4bpAIHtaGy3WdbPtgtC0pMD4Rz1TZU/sendMessage?chat_id=5268739623
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2016-63-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2016-65-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2016-66-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2016-67-0x00000000004202DE-mapping.dmp family_snakekeylogger behavioral1/memory/2016-69-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2016-71-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
confirmations.exedescription pid process target process PID 912 set thread context of 2016 912 confirmations.exe confirmations.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 704 2016 WerFault.exe confirmations.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
confirmations.exepid process 2016 confirmations.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
confirmations.exedescription pid process Token: SeDebugPrivilege 2016 confirmations.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
confirmations.execonfirmations.exedescription pid process target process PID 912 wrote to memory of 2016 912 confirmations.exe confirmations.exe PID 912 wrote to memory of 2016 912 confirmations.exe confirmations.exe PID 912 wrote to memory of 2016 912 confirmations.exe confirmations.exe PID 912 wrote to memory of 2016 912 confirmations.exe confirmations.exe PID 912 wrote to memory of 2016 912 confirmations.exe confirmations.exe PID 912 wrote to memory of 2016 912 confirmations.exe confirmations.exe PID 912 wrote to memory of 2016 912 confirmations.exe confirmations.exe PID 912 wrote to memory of 2016 912 confirmations.exe confirmations.exe PID 912 wrote to memory of 2016 912 confirmations.exe confirmations.exe PID 2016 wrote to memory of 704 2016 confirmations.exe WerFault.exe PID 2016 wrote to memory of 704 2016 confirmations.exe WerFault.exe PID 2016 wrote to memory of 704 2016 confirmations.exe WerFault.exe PID 2016 wrote to memory of 704 2016 confirmations.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\confirmations.exe"C:\Users\Admin\AppData\Local\Temp\confirmations.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\confirmations.exe"C:\Users\Admin\AppData\Local\Temp\confirmations.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 11003⤵
- Program crash
PID:704