Analysis
-
max time kernel
35s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 16:51
General
-
Target
46359716b202a1ca4c32441a462038d3.exe
-
Size
127KB
-
MD5
46359716b202a1ca4c32441a462038d3
-
SHA1
9ede2a63fb70d57d6d18a0e628c0387ab74b0c9d
-
SHA256
5d22b8cda66289abca9e057f2ba460803a9832b6d274bf88d54c464e42356039
-
SHA512
8dac7ba27736da6a69ed8204111e1fbe578d6a51cbf0db14e0d9480154901f74ecba7ddcc35e7ffc599f58d3d3ae805f0e890c32fa09f65f8be32f290dd6c9af
-
SSDEEP
3072:yAgAEkoHj/LDdFnpb28b80qTwBj2SFbY:vxW528bB22b
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\46359716b202a1ca4c32441a462038d3.exe"C:\Users\Admin\AppData\Local\Temp\46359716b202a1ca4c32441a462038d3.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1960-54-0x00000000009C0000-0x00000000009E6000-memory.dmpFilesize
152KB
-
memory/1960-55-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB