Analysis
-
max time kernel
131s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2023 08:19
Static task
static1
Behavioral task
behavioral1
Sample
Webxinfy.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Webxinfy.exe
Resource
win10v2004-20230915-en
General
-
Target
Webxinfy.exe
-
Size
424KB
-
MD5
aef95313f585ac4fcf3fd9b6c489b286
-
SHA1
d0d887a33c18e6b70f4e37fbc0e1a384b33b476c
-
SHA256
b3dba4262136858ea1c87d1aca82830267af72efb7f509faa21dddcec066bc89
-
SHA512
97586a81524469fdb2d49778006a7b6d42b14a871e9b346572551374692fe55ce16337240aacbacb90ea3dca0dd993e96a4303be5f037cb72df00d97f2b93704
-
SSDEEP
6144:gVBZhKsN6+zRDQSsFv9CK5uj2rUHBwK67AfsOgy2tCeYYHrMEzvwe/vy3VXB1:gFhTOllCKsj2njAfsOgtzvZWV7
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot6495173086:AAHM8NMu-uOSJHZaHij-umtWDUwi5-hOLog/sendMessage?chat_id=5262627523
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3392-10-0x0000000140000000-0x0000000140022000-memory.dmp family_snakekeylogger behavioral2/memory/3392-16-0x00000144F1590000-0x00000144F15A0000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Webxinfy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sssssssss = "C:\\Users\\Admin\\AppData\\Roaming\\sssssssss.exe" Webxinfy.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 55 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Webxinfy.exedescription pid process target process PID 3472 set thread context of 3392 3472 Webxinfy.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 3392 MSBuild.exe 3392 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Webxinfy.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3472 Webxinfy.exe Token: SeDebugPrivilege 3392 MSBuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Webxinfy.exedescription pid process target process PID 3472 wrote to memory of 3392 3472 Webxinfy.exe MSBuild.exe PID 3472 wrote to memory of 3392 3472 Webxinfy.exe MSBuild.exe PID 3472 wrote to memory of 3392 3472 Webxinfy.exe MSBuild.exe PID 3472 wrote to memory of 3392 3472 Webxinfy.exe MSBuild.exe PID 3472 wrote to memory of 3392 3472 Webxinfy.exe MSBuild.exe PID 3472 wrote to memory of 3392 3472 Webxinfy.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Webxinfy.exe"C:\Users\Admin\AppData\Local\Temp\Webxinfy.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3392