Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:55
Static task
static1
Behavioral task
behavioral1
Sample
POHGD06226.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
POHGD06226.exe
Resource
win10v2004-20230220-en
General
-
Target
POHGD06226.exe
-
Size
562KB
-
MD5
d5a17638cd85bd565801945b2c1104fc
-
SHA1
edfdad7f4a70a535377d17987db7b4519bea6053
-
SHA256
70b86ae1a2b54a630bf94ed868958fdc478fa15368b29a8fef0953518fc64dad
-
SHA512
875e3ba9f7cf6c00d4f695e93263da0be4ceaee4d689f3c83baaa9ef227058eaff6e46443438b022b212cbf696622362e5933ca0df32bcf25d0f5440eb401832
-
SSDEEP
12288:czmI7l+NMu6AzfSjzOgiEtqzlQDZ3+gp/g0UZHu5fmL:CmN6QfmzM2yQDZ3+gVgO5fmL
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6221660400:AAGb-WADrhdDFxd9kxzjtg3jdDw9-uvNVlM/sendMessage?chat_id=6200392710
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
resource yara_rule behavioral1/memory/668-63-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/668-64-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/668-66-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/668-68-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/668-70-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/668-71-0x0000000004D90000-0x0000000004DD0000-memory.dmp family_snakekeylogger behavioral1/memory/668-72-0x0000000004D90000-0x0000000004DD0000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 6 IoCs
resource yara_rule behavioral1/memory/668-63-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/668-64-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/668-66-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/668-68-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/668-70-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/668-71-0x0000000004D90000-0x0000000004DD0000-memory.dmp family_stormkitty -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1928 set thread context of 668 1928 POHGD06226.exe 27 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 668 POHGD06226.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 668 POHGD06226.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1928 wrote to memory of 668 1928 POHGD06226.exe 27 PID 1928 wrote to memory of 668 1928 POHGD06226.exe 27 PID 1928 wrote to memory of 668 1928 POHGD06226.exe 27 PID 1928 wrote to memory of 668 1928 POHGD06226.exe 27 PID 1928 wrote to memory of 668 1928 POHGD06226.exe 27 PID 1928 wrote to memory of 668 1928 POHGD06226.exe 27 PID 1928 wrote to memory of 668 1928 POHGD06226.exe 27 PID 1928 wrote to memory of 668 1928 POHGD06226.exe 27 PID 1928 wrote to memory of 668 1928 POHGD06226.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\POHGD06226.exe"C:\Users\Admin\AppData\Local\Temp\POHGD06226.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\POHGD06226.exe"C:\Users\Admin\AppData\Local\Temp\POHGD06226.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-