Analysis
-
max time kernel
127s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2023, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
PAGO 49595.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
PAGO 49595.exe
Resource
win10v2004-20230703-en
General
-
Target
PAGO 49595.exe
-
Size
590KB
-
MD5
5771c7f376bf8760e4536e1ac832be83
-
SHA1
011cc3fe71e481d4dd69d16fec2e328a1c542526
-
SHA256
74e0e44962853defab1a9e26b38a812fac44b61910ea18102c3e7b227ee03ebb
-
SHA512
a2aeb8bada76c538515712de471c710aaee012c4d9b1fc05ee4571092e23e534fef6f98bdc0b2c58b40f1ea08326d3f034cddffe5b3edd272c72ad6d2d4a9306
-
SSDEEP
12288:aS6ln+flo/XciMv0AsRfPN1+Jexurhw4Z9dqeGFnDSvRhpb7:vTdCjE0AywJexur2YSFnDSTl7
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
UWzDeXWsD8
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
resource yara_rule behavioral2/memory/3384-143-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral2/memory/3384-148-0x00000000054C0000-0x00000000054D0000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAGO 49595.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAGO 49595.exe Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAGO 49595.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 54 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2928 set thread context of 3384 2928 PAGO 49595.exe 99 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2928 PAGO 49595.exe 2928 PAGO 49595.exe 2928 PAGO 49595.exe 2928 PAGO 49595.exe 3384 PAGO 49595.exe 3384 PAGO 49595.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3384 PAGO 49595.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2928 PAGO 49595.exe Token: SeDebugPrivilege 3384 PAGO 49595.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2676 2928 PAGO 49595.exe 98 PID 2928 wrote to memory of 2676 2928 PAGO 49595.exe 98 PID 2928 wrote to memory of 2676 2928 PAGO 49595.exe 98 PID 2928 wrote to memory of 3384 2928 PAGO 49595.exe 99 PID 2928 wrote to memory of 3384 2928 PAGO 49595.exe 99 PID 2928 wrote to memory of 3384 2928 PAGO 49595.exe 99 PID 2928 wrote to memory of 3384 2928 PAGO 49595.exe 99 PID 2928 wrote to memory of 3384 2928 PAGO 49595.exe 99 PID 2928 wrote to memory of 3384 2928 PAGO 49595.exe 99 PID 2928 wrote to memory of 3384 2928 PAGO 49595.exe 99 PID 2928 wrote to memory of 3384 2928 PAGO 49595.exe 99 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAGO 49595.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 PAGO 49595.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"2⤵PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"C:\Users\Admin\AppData\Local\Temp\PAGO 49595.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3384
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5765cff098b629b1eb49e3ef981f7001a
SHA132b7ade1f746d013371141dcebd96e0bb3faeef3
SHA256ee17be860e129795491b4be61f5ac446b16f2679e056114024ffc72b2e23a9b7
SHA512ca2d2ddafc2dcbeab2c93f039bdbc567d4c9e0457e741e71c432b7461a1a8165891f22112ff1b57004ba51271899555fbf001db17d2dc748bafc608817bd9474