Overview

overview

10

Static

static

sept_23092...pt.exe

windows7-x64

10

sept_23092...pt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2022, 07:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    sept_23092022_receipt.exe

  • Size

    985KB

  • MD5

    59837d6d3d40cc5cc56012c3fd8badfb

  • SHA1

    d2d44df58a557922d8a31928943f71adb29ac8da

  • SHA256

    3b8dcf7047a2d9440e4809359bec667476f816e5ca27e3fed3c072c8131b77be

  • SHA512

    072c3bf406814d5aa20f55b9aa417da4a81146cda43198c1eac12d721ad9742c85707a8bdd99b9ba05f2b6729a74dd8fa6d475f70ad85c00f1009d2c1ce56f9d

  • SSDEEP

    12288:GhLuyAHHubjhcmz8JjI/h5PSJZF27x12U5eHKinZsrJPrF3AyiEAmD:GhLuyyOvamzejmtYZsvzDUZC99Ayi

Score
10/10
snakekeyloggercollectionevasionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5633295549:AAH9lzzrf8Ep6i2K5UISY92DSUSu9k_w37Y/sendMessage?chat_id=5671926480

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sept_23092022_receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\sept_23092022_receipt.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\sept_23092022_receipt.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4852
    • C:\Users\Admin\AppData\Local\Temp\sept_23092022_receipt.exe
      "C:\Users\Admin\AppData\Local\Temp\sept_23092022_receipt.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1900

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1900-146-0x0000000006740000-0x0000000006902000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1900-142-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4216-133-0x0000000005D10000-0x00000000062B4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4216-134-0x0000000005800000-0x0000000005892000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4216-135-0x0000000005A90000-0x0000000005A9A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4216-136-0x0000000009AD0000-0x0000000009B6C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4216-137-0x0000000009BE0000-0x0000000009C46000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4216-132-0x0000000000D70000-0x0000000000E6C000-memory.dmp

          Filesize

          1008KB

          Download

        • memory/4852-144-0x0000000006330000-0x0000000006396000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4852-148-0x0000000070D60000-0x0000000070DAC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4852-143-0x0000000005B50000-0x0000000005B72000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4852-139-0x00000000030F0000-0x0000000003126000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4852-145-0x0000000006A10000-0x0000000006A2E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4852-147-0x0000000006FD0000-0x0000000007002000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4852-140-0x0000000005C10000-0x0000000006238000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4852-149-0x0000000006FB0000-0x0000000006FCE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4852-150-0x0000000008370000-0x00000000089EA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4852-151-0x0000000007D20000-0x0000000007D3A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4852-152-0x0000000007DA0000-0x0000000007DAA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4852-153-0x0000000007FA0000-0x0000000008036000-memory.dmp

          Filesize

          600KB

          Download

        • memory/4852-154-0x0000000007F50000-0x0000000007F5E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4852-155-0x0000000008060000-0x000000000807A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4852-156-0x0000000008040000-0x0000000008048000-memory.dmp

          Filesize

          32KB

          Download