snakebot | eed0acd0a40e11ceed2cb1fb296b49579252c77b8d4d3956e56f4c805dbc258a

Analysis

max time kernel
93s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2023 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mame0251b_64bit.exe
Size

84.8MB
MD5

f8694b115a065647e434c0092721202f
SHA1

5aa75a73bae6b30874854dc84749cf802f0e486b
SHA256

eed0acd0a40e11ceed2cb1fb296b49579252c77b8d4d3956e56f4c805dbc258a
SHA512

c6b70dbdd980da6e8a653d018cc9e78bec8b84467d9d31bf490e5e17c86119fe10b4f91490fda4804c3f0d1eab49cca809c3866ac83527f6fe288edb66205a3c
SSDEEP

1572864:MRS1w/qSngj/dHH4wt/QDYTD3ihRKQwgbbQNYKmXCVdiVvaIi:MRSDSnAuDYTD3i+QtMYKfdKvm

Score

10^/10

snakebot snakebot

Malware Config

Signatures

SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot

Contains SnakeBOT related strings 2 IoCs

snakebot

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\New folder\mame.exe	snakebot_strings
C:\Users\Admin\Desktop\New folder\mame.exe	snakebot_strings

Executes dropped EXE 1 IoCs

Processes:

mame.exe

pid process

2596 mame.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2596	mame.exe

Modifies registry class 2 IoCs

Processes:

mame0251b_64bit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	mame0251b_64bit.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	mame0251b_64bit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mame0251b_64bit.exe

pid process

4408 mame0251b_64bit.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 4956 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 4956 AUDIODG.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

mame0251b_64bit.exe

pid process

4408 mame0251b_64bit.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

mame.exe

pid process

2596 mame.exe

pid	process
4408	mame0251b_64bit.exe

description	pid	process
Token: 33	4956	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4956	AUDIODG.EXE

pid	process
4408	mame0251b_64bit.exe

pid	process
2596	mame.exe

C:\Users\Admin\AppData\Local\Temp\mame0251b_64bit.exe
"C:\Users\Admin\AppData\Local\Temp\mame0251b_64bit.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1456

C:\Users\Admin\Desktop\New folder\mame.exe
"C:\Users\Admin\Desktop\New folder\mame.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x404
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\New folder\mame.exe
Filesize
260.3MB

MD5
19714309467c2302950fc489a313dff4

SHA1
311ea237a8a631cd469a329f0ebf7d2a5678bccb

SHA256
dee8a2739981e805dc83a3907b8f81924710e2420087f75772b1900c3ddc8f0f

SHA512
cdaae58cad4c5e0d3a350086b802c4bedcf7d90e07d2585ae9d21c386560f5ce24f11a423d1ed315cc0fa12dfc83ad42922371efeab8a34c580c85b59ad5b36d

Download Submit
C:\Users\Admin\Desktop\New folder\mame.exe
Filesize
256.2MB

MD5
f070f7cc539ed13d7c1d5afeb15b4073

SHA1
a48b97fbe18df5e917ca9019499f1e556a13c1bd

SHA256
6862eb81ceed6f9b0d004bb6fc7c53ba83e94840b888f5b8cfc2e8be2f8b7ac3

SHA512
41e2af4c9506cee82ff6d811bba871cc8d8b46c51036c9d7e02f4ab45160646ffc5b5e2072501418b76a49b6489a5cbd037413b6ae2a5ae701a41648e93f4192

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\autofire\plugin.json
Filesize
172B

MD5
ea2762076cc19dc316117d1c7fcd1829

SHA1
6148f46190d82b275ca4a573b084c82f674f4dde

SHA256
668320eff3209f7305a1541d2eb7b5ce1b4cb013aae9760f13504e0f7ce18ce5

SHA512
0474b20e312ab535e45c026bdb2aedfc0aad71e601b8644d5361b45d466f604eb5b90a6e79d860b53aca759d44d072d50434a7fdbe29f6a66bed245106dc966a

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\boot.lua
Filesize
1019B

MD5
809a691069c6b8531e5a770dc3b92a69

SHA1
3732f1aeea740c2e5df51b0b51c6665028314ae6

SHA256
8466722f2a08bba1ce9a79488e2d71133c6e9364b36e9cbb07be83085b769859

SHA512
44662c9dc2173473ee96574b1a7ba3de5773706161b5a03ab56f6d2b7ef7ac335c241e4954f29429d173d529b86e1ea46acea72e7dbd351baf625ac72bb1ecfd

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\cheat\plugin.json
Filesize
159B

MD5
997443c2d8a3778b67583ecb078369b1

SHA1
053cc958235c6076553eb5579f22e22f317ae36a

SHA256
5e78593780bee64952e668377947a7f73f1068ba7cc872a6446cfb7fb085909c

SHA512
10103fc835c29a96aec5c6d1de7f1dcd46e28a61a21eacbc33e80aa8eae948fadd772be802d685df4cc80dc09bcb0f24d259ac1dffa976f134d73a9314e99aa8

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\cheatfind\plugin.json
Filesize
178B

MD5
a0fc678d57b6146f88efc64424fa314c

SHA1
243bdb8bffcb49f5097e8528041eeee78a35198b

SHA256
3398640e16d2917f279fcf0a25f1b6c87180940403bccbb19953b594426cd4a5

SHA512
7480d40ecb93b49ab4253dfcc0204e9adcc06cc40de101a89669401e5963c802efab549d69cb477943130b6d51567e8e9c24998ca1bff31f7379ef9eeb1df986

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\commonui\plugin.json
Filesize
163B

MD5
4fa841abbb26f4f710e6e38c2c14947c

SHA1
c04bdb6227bab186a5903e5c275b36545a412307

SHA256
2b807189c5ff0d5ce6bca5cbda8186286b988f95a202575a0f148a9c0915ec6d

SHA512
13d46c88c5c6d50d91db44313ac5ec8d4056c4341f969232d4e2ebf0aaea6b68858fa2eac9bf97cf4522831f649dc6dc6c3cf320ad65e4908484e98cd353b027

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\console\plugin.json
Filesize
163B

MD5
9e5b3f3c34cef2e8316cd8333e462bdb

SHA1
2a0fd72a739f339bb2be6806f9964bc5a3ed4bfc

SHA256
7aeadd444340db9beaa01805312d75dc47dd4dcbb843d7b76eefd79de313ac2e

SHA512
f1291ba7ca5f42a82ada340aa516b53310e7d087f26d127791e48017662a0fd9b8b2800b24ac7ef97b332821c6230c3e71baea8194d6b37aff45e5bfab9b1499

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\data_command.lua
Filesize
671B

MD5
97494d60a24bc8b6f3cc85dbad431fcc

SHA1
139a890583850c85076ea4a968fbf9014262c242

SHA256
beef37e76d21f3f8dd3cca31c995931c1ed43480a9b14701201886e79098c114

SHA512
09896c90bb95248c69c988a7333f023deb417bae2f8e602a11f56a8f449fe35d6ca667f80c6e06c6c0ebefcded85e6baa7647e551bbbc62b29c509b23fbb84a0

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\data_gameinit.lua
Filesize
493B

MD5
0e5ba5046fbd98a6b87a301fd6ce81ec

SHA1
64f11f93db0a8f97b0cfb27efb0fa7fa96f633b6

SHA256
b408246d39971f1e02e5899778618c251c845e38159250cf4b7c9fde152f8b3e

SHA512
73a37d6a39717fd0c9ad60c4b5deb145f40c0e2a99213afecd175f2350984fd19482eebbfd8417c8a4d0a5cfc6e5ab1e0f9297e1230f69893f8144b5a9e84ac7

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\data_hiscore.lua
Filesize
41KB

MD5
63f264d77f996ae05c72756a2520a755

SHA1
aec8bc799c73738ed98bdb6c2cc5687fdf656fa7

SHA256
91ca936426c62f81d2e241377db415fcc60ace78a478c4012356736f23f23232

SHA512
d47c4b52e09cb56033f58ad61740c707b81aea49b43f3f5c457d3c83e2861ed302f7a52050f353705a54c4ec423bad675e0332c7ff9fdaa63df8860c352dc0c7

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\data_history.lua
Filesize
5KB

MD5
9b758be3ae53eaba7853c6f69e7c8f5c

SHA1
aedf216e6af8766e92c2cfbabcc835d58e2f8e3c

SHA256
1ee74c2398d90b5ef67e1a1442dac7b639f7d2b31598ecb5ad1ec5675fa95d8d

SHA512
3fa7ac863ade2bb1102afd37d33b4b46e0d47662d72190cfc2bb368f33e330226624f3987e34baabadb919107fa3a1ab770c383e4b31d67c13b221df79be3e41

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\data_mameinfo.lua
Filesize
823B

MD5
0e0147e2eab1a564b44abd1e48d1b83f

SHA1
72c2e2ce93b314db7e821ca24799b8dcf73b3c34

SHA256
7040769af4ca2b588f4dbad0057bda8409ea45bc8a39aba1cbed78a6b5804a01

SHA512
f0d1f36230269f5b76b731e5a7209492c554f4ba4a26cd3e6620aa3f48262011cc9366c89dcbd150b90d70672607a9f43c9c77a0f5a8fd828827538b8e4b2053

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\data_marp.lua
Filesize
3KB

MD5
1b28733e2396cb332d0929b9988eb483

SHA1
a62a18b2af58a98e81613cf486795680eab63b8f

SHA256
99ceb7f96260eb1fc1ecf5d52b52fc3252e4f4355bf32f4cb4c562f50c677efb

SHA512
dd5f03a1e3e2382f2a43cd850f200359a2444f77a52e676aa3aeb749e431047a96602b1fcb14b1845460325fba0d1dae5787abc4bb666003d22c196c1144246b

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\data_messinfo.lua
Filesize
827B

MD5
e0cdcde7ee7adae5583dd974c3e7d713

SHA1
2054e3879a119c2186e3a844c8a34fae5b0f4ded

SHA256
dee66ff5bc3d51a59d5fe75e0d27939a8b3d82dda18633081a718d77b2262a48

SHA512
9b0c79c7d21753161119aa40bbcadf259055ec67c17b2e1d030bde3005a7c5ec02e9c5edca6bbcbfaa7f2528a549cf0d85c93a16f418be3be713bdfcb6c7cdc6

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\data_story.lua
Filesize
827B

MD5
8e7e651b904e0bcbd4c185976e513675

SHA1
6e861e49250a42f7343c116e1a0460a4d97a9315

SHA256
c70cc7a0118eff08dae862175d2bf022d9f66a30d8be6886a1f5a7865255a601

SHA512
b1f4d095ffc413b9c8f973a807382bb6ce1cf9aeacb0842822e2b9b5b6c8ec6f0554211af24fc704d0927b2b5e39c53a1bb68dcae7dba4d010a0514f8b785777

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\data_sysinfo.lua
Filesize
502B

MD5
8273929fd3baa881e866a3b051787b29

SHA1
1803b8d1e534d273c0eafb9f3d24bc64e7e1ccee

SHA256
97ac195aeab271c3d0c48293662a92a5c0955849fc6078b32242b48c679f81c7

SHA512
b40b59eedfd45b5afa18ab5942739713d9f0227b176f0d1b61302d2b8d8857a6ae41128f7e17b3dc9160b25660daef16297222960c6b7b8dc23fe0e61580a1fe

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\database.lua
Filesize
3KB

MD5
9326cfee217cc23f49229f05910a3b40

SHA1
86fb5619df8add05af173986606458e2217e9168

SHA256
ff37a17245e7addcfa81eef5a878120184ea6c2f253330a4ddce823e6270552f

SHA512
ba4f78793c81bc39dd6146e853ba9b2d1c96ae8ef4a4587ebacbaec75f914a276c8b219decf14131645a1cea0c80361079a3dde63e0ad963dfd2521643d6e8a7

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\init.lua
Filesize
1KB

MD5
102716e51bbec6bd1c96f3c16d73d3b3

SHA1
618383c0fce88b540024c17ddfaf55e43ad1b252

SHA256
5ff2a3cf995415468b6960d0650e74f577927f096a6f5ed7845d795d424b4344

SHA512
226c44acba0674a3f2ee6661b2308e63abcd6dffc2b2a707d2416eff2d08ce4af9c322c52372e9bc5af1b4a92130162cfd93b6740ee3f3ce77d7dd2f0f4d487a

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\load_dat.lua
Filesize
6KB

MD5
80620f14e28b86f6c6e468c3b14ac116

SHA1
902c55f749c88aa9e4735a27322531656c769c57

SHA256
4116eeac7fe679cc722f50f9bcdbd7185d508d3e627971bca947188a3184714a

SHA512
b745b94b6992dcf61fba28b34ddea7f62b8cdbe61611a748e649e414f57ed8e64f639d5a06670aa6c5931053bf93650132e1476a70cc16f59472d137bb15be77

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\data\plugin.json
Filesize
156B

MD5
fbbf3a8152ae9875c1d2a92ff912c895

SHA1
a19378f007852f0acafecb410f6450b9419f6892

SHA256
e9e058fa0063b053ae3ee49ea59002f883eeddd96790a160d078de0e7dcf6a44

SHA512
73cca176104eb4dc8227a97a2453e36cb37042a8ce08b371626fe9fe5468b56725fb7f9e38b16013911702047dc433292158ff22652fe946f76a5b22e4ab2d2c

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\discord\plugin.json
Filesize
165B

MD5
2dddccc2dcbfc459d99588ca70b4f03b

SHA1
e14383a43bde5373359af2c1e7b8056936fc6eee

SHA256
7da41ef055de22c333841c312830029303abdc8ae4691812e6467bd7369f88b5

SHA512
185b9203c5c58a630129ddad82dd9eda90cb8a360e573a473628fbbb6dedc6631374a71b73e000ed2c3c728b059ccdd6841c3df1f8c405f23ee61e5f44dfbb2f

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\dummy\plugin.json
Filesize
177B

MD5
464731a5ce72ede22ab48e40b917f0b1

SHA1
6a223bf1a5db0a9a83ca64fdfd020bb01d75e7c7

SHA256
4275406f363c46b9309c7a661a6883a708f0de6032b275a6a4e4cad905a37c07

SHA512
5b4f9acad3979bf62c9b19291407d4a52b74be9ab697e4f79cbd2b5026bbddd27ed1eefd6a07f4b539919c66f47654f5ce403adc97be2b936cfb47b93238b1f2

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\gdbstub\plugin.json
Filesize
164B

MD5
06109a198818b0e9ef41910a4c2a607f

SHA1
4d899d1575f63c6970900349193da9d3d29b2dfa

SHA256
60765115032291f1cd28eec65edca1d1c344e7b6fb2fc0b81bc87434e42fa20b

SHA512
e77ebc364840aba01f9be9c50145819fff14c9f03a264e952ee4e5391ecbca212dea39f23a61112a123efd79ebd84f5bee18143b2480e5d86b14172642634ae8

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\hiscore\plugin.json
Filesize
177B

MD5
4d29171259afb1e58233a2ac4755047d

SHA1
c1a7ddf8390c592148213cbdd090be169e154578

SHA256
a36bf4bcfa9275e527032a36e400702e27d751e2f8c6ec6affd792ab234108f9

SHA512
a6b5dccac9788f498bdb77e1ad3ed25f2180b73ceee14f49dfa390c7ba8215ca2686a1668a2255d7c5168b28432401191c43a197c42e8e1899f483b31fb07509

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\inputmacro\plugin.json
Filesize
181B

MD5
5f50d42bdc01f3503d0d86305c3db58f

SHA1
feefa967d91769612f42515c140a17cc694ee91a

SHA256
dbde05a6af4455d3a559b6ea32a6e82d71852484050238d8b20e0484cfaf761a

SHA512
8b4e84b733c428c8fd3f23bfb980c37e150483c96088cfa557288d53ddd077bed84465a1063c35bcf811e374fd310b7a61a0daf90b5631e55c6c23dc2a202909

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\json\plugin.json
Filesize
145B

MD5
bf9dfb8206ae8fb23615d59e51967749

SHA1
fe49a4d559b969cbc7c66521d935df9adea45e45

SHA256
e1e17a073629a4e2b1fc39807e39589fd5f31b4ad3dd08f73ceced375cef07a7

SHA512
da1565b93e94a0ad88d2987edfd727780260f5c86f44742ca3f2c38543aefd0e87b36aa607557d7a59ad399bb9bdf29cc16dd6e0d63231c2dccd509b9ceb16eb

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\layout\plugin.json
Filesize
168B

MD5
530c0648c71f9a587b1b5fc528ead5f5

SHA1
53e41828e834ca4e81327073dc4b4978224bf58a

SHA256
5ca77c35a132dc8f1007debb5ada83c3b2ecddd0a2af3103ec5a6373edb66642

SHA512
6bcf21a1e544ccdbfda397a25812680881eecd2492536403120fc9d53e8b42fa72febc6fd5ff9f73a56c006dc1f9e23b151f6489058d2e39bb388c485202ef55

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\portname\plugin.json
Filesize
180B

MD5
0a52fb8b15c311ffaf1cfc50c5a5edf8

SHA1
9a24b2225b7d1a20d42242dab1a0bbb28c77a14d

SHA256
904798901efbfc5c378f1617963949c163ee6320159d9a632bc656a8c65a9fbf

SHA512
3376f164c4cdc7f7cb36e0d849b943fed11f78d15df043c13b560b7ddc374c7956c7a81ff62002b588878d7ec9c434c7364725338b182ba37eb824dfa1505658

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\timecode\plugin.json
Filesize
185B

MD5
96c29ad50ffede589243769dbacfddb9

SHA1
44e68ad4ed0ea988432ba7f561aa860148423c4c

SHA256
695449980a7128fd2bffa8f7b505fadd84eb3b7fc560c0fb17a5df9785be1f97

SHA512
811f5acc0b8f15d1ac1ea8f5f36dc229508192f0069f9725effdc50090b09e671d235aa290d28933014b513ca15afe7bbf29eb50b004dd08df02589bfb4b24cc

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\timer\plugin.json
Filesize
171B

MD5
0551630eb53a7d1038560a566e97e3c6

SHA1
6299b684709319356812d58f1941c695cebf9357

SHA256
716c2c2064c8765dbefdaf69f5948c48d61941103919da192b417122ceda3437

SHA512
463c4ea6ba10eea4cb35c75f02cc2312dee3533ef60eb66827094252b7738b620e00663c0843bb7b7f91e31f1c056e768e3a5221a1c81c162d68610b0a8583c1

Download Submit
C:\Users\Admin\Desktop\New folder\plugins\xml\plugin.json
Filesize
155B

MD5
d3e4bdecdb86770ac406dd3b647e3319

SHA1
7842bb5656f8be814d4ad0fd86bab0768e5104d8

SHA256
a59eea8a14b457c972dca1b209f8ea27d7f387826982a31d2627df212b8754b5

SHA512
a5a6b27c2593994046d24a05bae8638bca473e74eabc4ea8651f43ba5250294f9e3870dd4bcd2597cb1f923eee259105bec220101959f87fbd62038bf68c9b02

Download Submit