Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2023, 06:23
Static task
static1
Behavioral task
behavioral1
Sample
pago b5859.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
pago b5859.exe
Resource
win10v2004-20230703-en
General
-
Target
pago b5859.exe
-
Size
581KB
-
MD5
809626e7218e41dc9947c765e5181436
-
SHA1
db750ee340d8606df607cc6cc86d752de8e8c8e8
-
SHA256
f211c5dc5c79821bc6b82b80ee62aebcecc3c85d758c3cfe87e9e47ee2179884
-
SHA512
27a5d48ccc16ea85de858b1024bea57584c2bc41127a1817dd54f9b79cc475fb504507e8a8903b8d242e4b1dc5aa099099c02b5c5fcf0beab0546a8e04b3a823
-
SSDEEP
12288:ZPYPfY72s39MAfoV+1gGmfOyPoA6h6w0concBwifzym:ZPYPg13ra+1gGmfHPopJ/air
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.mtbooks.com.mx - Port:
587 - Username:
[email protected] - Password:
^QGUcHQjx3
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/3928-143-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pago b5859.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pago b5859.exe Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pago b5859.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 50 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5084 set thread context of 3928 5084 pago b5859.exe 98 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5084 pago b5859.exe 5084 pago b5859.exe 5084 pago b5859.exe 5084 pago b5859.exe 3928 pago b5859.exe 3928 pago b5859.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3928 pago b5859.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5084 pago b5859.exe Token: SeDebugPrivilege 3928 pago b5859.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 5084 wrote to memory of 5112 5084 pago b5859.exe 97 PID 5084 wrote to memory of 5112 5084 pago b5859.exe 97 PID 5084 wrote to memory of 5112 5084 pago b5859.exe 97 PID 5084 wrote to memory of 3928 5084 pago b5859.exe 98 PID 5084 wrote to memory of 3928 5084 pago b5859.exe 98 PID 5084 wrote to memory of 3928 5084 pago b5859.exe 98 PID 5084 wrote to memory of 3928 5084 pago b5859.exe 98 PID 5084 wrote to memory of 3928 5084 pago b5859.exe 98 PID 5084 wrote to memory of 3928 5084 pago b5859.exe 98 PID 5084 wrote to memory of 3928 5084 pago b5859.exe 98 PID 5084 wrote to memory of 3928 5084 pago b5859.exe 98 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pago b5859.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pago b5859.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pago b5859.exe"C:\Users\Admin\AppData\Local\Temp\pago b5859.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\pago b5859.exe"C:\Users\Admin\AppData\Local\Temp\pago b5859.exe"2⤵PID:5112
-
-
C:\Users\Admin\AppData\Local\Temp\pago b5859.exe"C:\Users\Admin\AppData\Local\Temp\pago b5859.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3928
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5765cff098b629b1eb49e3ef981f7001a
SHA132b7ade1f746d013371141dcebd96e0bb3faeef3
SHA256ee17be860e129795491b4be61f5ac446b16f2679e056114024ffc72b2e23a9b7
SHA512ca2d2ddafc2dcbeab2c93f039bdbc567d4c9e0457e741e71c432b7461a1a8165891f22112ff1b57004ba51271899555fbf001db17d2dc748bafc608817bd9474