Analysis
-
max time kernel
35s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 16:51
Behavioral task
behavioral1
Sample
46359716b202a1ca4c32441a462038d3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
46359716b202a1ca4c32441a462038d3.exe
Resource
win10v2004-20221111-en
General
-
Target
46359716b202a1ca4c32441a462038d3.exe
-
Size
127KB
-
MD5
46359716b202a1ca4c32441a462038d3
-
SHA1
9ede2a63fb70d57d6d18a0e628c0387ab74b0c9d
-
SHA256
5d22b8cda66289abca9e057f2ba460803a9832b6d274bf88d54c464e42356039
-
SHA512
8dac7ba27736da6a69ed8204111e1fbe578d6a51cbf0db14e0d9480154901f74ecba7ddcc35e7ffc599f58d3d3ae805f0e890c32fa09f65f8be32f290dd6c9af
-
SSDEEP
3072:yAgAEkoHj/LDdFnpb28b80qTwBj2SFbY:vxW528bB22b
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-54-0x00000000009C0000-0x00000000009E6000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
46359716b202a1ca4c32441a462038d3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 46359716b202a1ca4c32441a462038d3.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 46359716b202a1ca4c32441a462038d3.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 46359716b202a1ca4c32441a462038d3.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
46359716b202a1ca4c32441a462038d3.exepid process 1960 46359716b202a1ca4c32441a462038d3.exe 1960 46359716b202a1ca4c32441a462038d3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
46359716b202a1ca4c32441a462038d3.exedescription pid process Token: SeDebugPrivilege 1960 46359716b202a1ca4c32441a462038d3.exe -
outlook_office_path 1 IoCs
Processes:
46359716b202a1ca4c32441a462038d3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 46359716b202a1ca4c32441a462038d3.exe -
outlook_win_path 1 IoCs
Processes:
46359716b202a1ca4c32441a462038d3.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 46359716b202a1ca4c32441a462038d3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46359716b202a1ca4c32441a462038d3.exe"C:\Users\Admin\AppData\Local\Temp\46359716b202a1ca4c32441a462038d3.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path