Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 06:23

General

  • Target

    pago b5859.exe

  • Size

    581KB

  • MD5

    809626e7218e41dc9947c765e5181436

  • SHA1

    db750ee340d8606df607cc6cc86d752de8e8c8e8

  • SHA256

    f211c5dc5c79821bc6b82b80ee62aebcecc3c85d758c3cfe87e9e47ee2179884

  • SHA512

    27a5d48ccc16ea85de858b1024bea57584c2bc41127a1817dd54f9b79cc475fb504507e8a8903b8d242e4b1dc5aa099099c02b5c5fcf0beab0546a8e04b3a823

  • SSDEEP

    12288:ZPYPfY72s39MAfoV+1gGmfOyPoA6h6w0concBwifzym:ZPYPg13ra+1gGmfHPopJ/air

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mtbooks.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ^QGUcHQjx3

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pago b5859.exe
    "C:\Users\Admin\AppData\Local\Temp\pago b5859.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Users\Admin\AppData\Local\Temp\pago b5859.exe
      "C:\Users\Admin\AppData\Local\Temp\pago b5859.exe"
      2⤵
        PID:5112
      • C:\Users\Admin\AppData\Local\Temp\pago b5859.exe
        "C:\Users\Admin\AppData\Local\Temp\pago b5859.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3928

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pago b5859.exe.log

            Filesize

            1KB

            MD5

            765cff098b629b1eb49e3ef981f7001a

            SHA1

            32b7ade1f746d013371141dcebd96e0bb3faeef3

            SHA256

            ee17be860e129795491b4be61f5ac446b16f2679e056114024ffc72b2e23a9b7

            SHA512

            ca2d2ddafc2dcbeab2c93f039bdbc567d4c9e0457e741e71c432b7461a1a8165891f22112ff1b57004ba51271899555fbf001db17d2dc748bafc608817bd9474

          • memory/3928-143-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

          • memory/3928-151-0x0000000005600000-0x0000000005610000-memory.dmp

            Filesize

            64KB

          • memory/3928-150-0x0000000075300000-0x0000000075AB0000-memory.dmp

            Filesize

            7.7MB

          • memory/3928-149-0x0000000006940000-0x0000000006B02000-memory.dmp

            Filesize

            1.8MB

          • memory/3928-148-0x0000000005600000-0x0000000005610000-memory.dmp

            Filesize

            64KB

          • memory/3928-146-0x0000000075300000-0x0000000075AB0000-memory.dmp

            Filesize

            7.7MB

          • memory/5084-137-0x00000000054B0000-0x00000000054C0000-memory.dmp

            Filesize

            64KB

          • memory/5084-141-0x00000000054B0000-0x00000000054C0000-memory.dmp

            Filesize

            64KB

          • memory/5084-142-0x00000000091F0000-0x000000000928C000-memory.dmp

            Filesize

            624KB

          • memory/5084-140-0x0000000075300000-0x0000000075AB0000-memory.dmp

            Filesize

            7.7MB

          • memory/5084-139-0x0000000005CE0000-0x0000000005E86000-memory.dmp

            Filesize

            1.6MB

          • memory/5084-138-0x00000000051C0000-0x00000000051CA000-memory.dmp

            Filesize

            40KB

          • memory/5084-147-0x0000000075300000-0x0000000075AB0000-memory.dmp

            Filesize

            7.7MB

          • memory/5084-133-0x0000000000860000-0x00000000008F6000-memory.dmp

            Filesize

            600KB

          • memory/5084-136-0x0000000005220000-0x00000000052B2000-memory.dmp

            Filesize

            584KB

          • memory/5084-135-0x0000000005730000-0x0000000005CD4000-memory.dmp

            Filesize

            5.6MB

          • memory/5084-134-0x0000000075300000-0x0000000075AB0000-memory.dmp

            Filesize

            7.7MB