Analysis
-
max time kernel
31s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-03-2023 07:03
Behavioral task
behavioral1
Sample
233a1e7a23d610b17707bbbc1ae6ef8a.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
233a1e7a23d610b17707bbbc1ae6ef8a.exe
Resource
win10v2004-20230220-en
General
-
Target
233a1e7a23d610b17707bbbc1ae6ef8a.exe
-
Size
152KB
-
MD5
233a1e7a23d610b17707bbbc1ae6ef8a
-
SHA1
c6998a55cd2403b06240263c913e8b2de10d7aae
-
SHA256
9494ca9bfd4c4830a5bc42a556c4380fde6c5bcbac3021a3ea27273b55a46fc9
-
SHA512
5220ca4b07f60b6bda6a172c852af4576ace9a8e79aa6cca2e58c029707c4bb557bc598569509a39e4c336c1f5775e1657ca969e0b661c217f37f2f9aad26839
-
SSDEEP
3072:qAgAEAb97xSIUX1xBhPb87sywBQ2QFbY:3NHM1xBdbI2kb
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5869504375:AAFm1Z7IkZTyjASpoFpmokA0jISwF8dTPE0/sendMessage?chat_id=6033043077
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 3 IoCs
resource yara_rule behavioral1/memory/1296-54-0x0000000001060000-0x0000000001086000-memory.dmp family_snakekeylogger behavioral1/memory/1296-55-0x0000000004B50000-0x0000000004B90000-memory.dmp family_snakekeylogger behavioral1/memory/1296-56-0x0000000004B50000-0x0000000004B90000-memory.dmp family_snakekeylogger -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 233a1e7a23d610b17707bbbc1ae6ef8a.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 233a1e7a23d610b17707bbbc1ae6ef8a.exe Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 233a1e7a23d610b17707bbbc1ae6ef8a.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1296 233a1e7a23d610b17707bbbc1ae6ef8a.exe 1296 233a1e7a23d610b17707bbbc1ae6ef8a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1296 233a1e7a23d610b17707bbbc1ae6ef8a.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 233a1e7a23d610b17707bbbc1ae6ef8a.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 233a1e7a23d610b17707bbbc1ae6ef8a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\233a1e7a23d610b17707bbbc1ae6ef8a.exe"C:\Users\Admin\AppData\Local\Temp\233a1e7a23d610b17707bbbc1ae6ef8a.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1296