Malware Analysis Report

2025-08-10 18:11

Sample ID 230720-hvcvxadh2z
Target PAGO 748844.exe
SHA256 8a88d8c71eeff5031c0be922bad9639753a904fbf78536c0f8ac0619ae69d1b4
Tags
snakekeylogger collection keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a88d8c71eeff5031c0be922bad9639753a904fbf78536c0f8ac0619ae69d1b4

Threat Level: Known bad

The file PAGO 748844.exe was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection keylogger spyware stealer

Snake Keylogger payload

Snake Keylogger

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-20 07:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-20 07:03

Reported

2023-07-20 07:05

Platform

win7-20230712-en

Max time kernel

119s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2996 set thread context of 2828 N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe

"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"

C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe

"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp

Files

memory/2996-54-0x0000000000260000-0x00000000002FA000-memory.dmp

memory/2996-55-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2996-56-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/2996-57-0x0000000000540000-0x0000000000550000-memory.dmp

memory/2996-58-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2996-59-0x0000000004D80000-0x0000000004DC0000-memory.dmp

memory/2996-60-0x0000000000550000-0x000000000055A000-memory.dmp

memory/2996-61-0x0000000000740000-0x00000000007A0000-memory.dmp

memory/2828-62-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2828-63-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2828-64-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2828-65-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2828-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2828-68-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2996-72-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2828-70-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2828-73-0x0000000000400000-0x0000000000426000-memory.dmp

memory/2828-74-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2828-75-0x0000000002040000-0x0000000002080000-memory.dmp

memory/2828-76-0x0000000074120000-0x000000007480E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-20 07:03

Reported

2023-07-20 07:05

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4772 set thread context of 3824 N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe

"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"

C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe

"C:\Users\Admin\AppData\Local\Temp\PAGO 748844.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3824 -ip 3824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1496

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 218.240.110.104.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/4772-134-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/4772-133-0x0000000000040000-0x00000000000DA000-memory.dmp

memory/4772-135-0x0000000004F70000-0x0000000005514000-memory.dmp

memory/4772-136-0x00000000049C0000-0x0000000004A52000-memory.dmp

memory/4772-137-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/4772-138-0x0000000004960000-0x000000000496A000-memory.dmp

memory/4772-139-0x0000000004D80000-0x0000000004F26000-memory.dmp

memory/4772-140-0x0000000004C70000-0x0000000004D0C000-memory.dmp

memory/4772-141-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/4772-142-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

memory/3824-143-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAGO 748844.exe.log

MD5 765cff098b629b1eb49e3ef981f7001a
SHA1 32b7ade1f746d013371141dcebd96e0bb3faeef3
SHA256 ee17be860e129795491b4be61f5ac446b16f2679e056114024ffc72b2e23a9b7
SHA512 ca2d2ddafc2dcbeab2c93f039bdbc567d4c9e0457e741e71c432b7461a1a8165891f22112ff1b57004ba51271899555fbf001db17d2dc748bafc608817bd9474

memory/3824-146-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3824-147-0x0000000005240000-0x0000000005250000-memory.dmp

memory/4772-148-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3824-149-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3824-150-0x0000000005240000-0x0000000005250000-memory.dmp

memory/3824-151-0x0000000074790000-0x0000000074F40000-memory.dmp