Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
05/08/2023, 09:53
Static task
static1
Behavioral task
behavioral1
Sample
73938a877e6150f9e2c46a84df8c1eef.exe
Resource
win7-20230712-en
General
-
Target
73938a877e6150f9e2c46a84df8c1eef.exe
-
Size
601KB
-
MD5
73938a877e6150f9e2c46a84df8c1eef
-
SHA1
b29a8dff1e2f90620a2f1a24750e578ec38026cc
-
SHA256
f5f16852761bc7fdf0327d60493d3910bf40f826d42b8bd84f145d5ed659ae6b
-
SHA512
91b9b7dbf61a21896562769aee8a12dc6697e048536b8de74118d710b4297758aadde5037e7c1b60876ed45721934bfc383d9f48b80fd2707e42e127d50655af
-
SSDEEP
12288:cRmZ2iNuWvSv0BQLY0s5CzoTSgadrLrjEpd8:n1Akbk/s5eoTEOO
Malware Config
Extracted
snakekeylogger
Protocol: ftp- Host:
ftp://almasa.com.pe/ - Port:
21 - Username:
[email protected] - Password:
i($Ei~YKMTZY
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral1/memory/2300-62-0x0000000002190000-0x00000000021B6000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe 2300 73938a877e6150f9e2c46a84df8c1eef.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2300 73938a877e6150f9e2c46a84df8c1eef.exe