Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2023, 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    867KB

  • MD5

    e95d885c6ece5419fd104c8226aa7244

  • SHA1

    8346e1c7c845b1b67437b8cf9ec103acfa9b2047

  • SHA256

    f7626ca5799f9bb0842eb33d0c870ab943abed8eb6882dd11b4e741fa6453f25

  • SHA512

    6fe7e8414834723f99c76d3ccafc2460f8111e71e8409cd0ff685b0ccf446304867d0ef775670f42cff2ea0d9cba52589eee6e2007279ab24916b4fce65e7a90

  • SSDEEP

    24576:n1Qwe3cOQ/lMZbrpX6Bngbrxx/iaIU8Ucn:nBFAbVmgbrih

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5875198898:AAHb7cYwGrkdJdBq0_UiL6kYLg7WcXhadcM/sendMessage?chat_id=5279616630

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 7 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
        PID:272
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1764

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1052-54-0x0000000000150000-0x0000000000230000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1052-55-0x0000000004D10000-0x0000000004D50000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1052-56-0x0000000000510000-0x0000000000526000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1052-57-0x0000000004D10000-0x0000000004D50000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1052-58-0x0000000000530000-0x000000000053C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1052-59-0x00000000054E0000-0x0000000005580000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1052-60-0x0000000002060000-0x0000000002088000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1764-61-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1764-62-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1764-63-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1764-64-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1764-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1764-66-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1764-68-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1764-70-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1764-71-0x0000000002260000-0x00000000022A0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1764-72-0x0000000002260000-0x00000000022A0000-memory.dmp

      Filesize

      256KB

      Download