Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20/07/2023, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
PAGO 49595.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
PAGO 49595.exe
Resource
win10v2004-20230703-en
General
-
Target
PAGO 49595.exe
-
Size
590KB
-
MD5
5771c7f376bf8760e4536e1ac832be83
-
SHA1
011cc3fe71e481d4dd69d16fec2e328a1c542526
-
SHA256
74e0e44962853defab1a9e26b38a812fac44b61910ea18102c3e7b227ee03ebb
-
SHA512
a2aeb8bada76c538515712de471c710aaee012c4d9b1fc05ee4571092e23e534fef6f98bdc0b2c58b40f1ea08326d3f034cddffe5b3edd272c72ad6d2d4a9306
-
SSDEEP
12288:aS6ln+flo/XciMv0AsRfPN1+Jexurhw4Z9dqeGFnDSvRhpb7:vTdCjE0AywJexur2YSFnDSTl7
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
UWzDeXWsD8
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
resource yara_rule behavioral1/memory/2840-66-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2840-67-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2840-70-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2840-73-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2840-75-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2840-77-0x0000000004430000-0x0000000004470000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2212 set thread context of 2840 2212 PAGO 49595.exe 30 -
Program crash 1 IoCs
pid pid_target Process procid_target 2728 2840 WerFault.exe 30 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2212 PAGO 49595.exe 2212 PAGO 49595.exe 2840 PAGO 49595.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2212 PAGO 49595.exe Token: SeDebugPrivilege 2840 PAGO 49595.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2840 2212 PAGO 49595.exe 30 PID 2212 wrote to memory of 2840 2212 PAGO 49595.exe 30 PID 2212 wrote to memory of 2840 2212 PAGO 49595.exe 30 PID 2212 wrote to memory of 2840 2212 PAGO 49595.exe 30 PID 2212 wrote to memory of 2840 2212 PAGO 49595.exe 30 PID 2212 wrote to memory of 2840 2212 PAGO 49595.exe 30 PID 2212 wrote to memory of 2840 2212 PAGO 49595.exe 30 PID 2212 wrote to memory of 2840 2212 PAGO 49595.exe 30 PID 2212 wrote to memory of 2840 2212 PAGO 49595.exe 30 PID 2840 wrote to memory of 2728 2840 PAGO 49595.exe 31 PID 2840 wrote to memory of 2728 2840 PAGO 49595.exe 31 PID 2840 wrote to memory of 2728 2840 PAGO 49595.exe 31 PID 2840 wrote to memory of 2728 2840 PAGO 49595.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 10043⤵
- Program crash
PID:2728
-
-