Behavioral task
behavioral1
Sample
4032-8-0x0000000000400000-0x0000000000424000-memory.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
4032-8-0x0000000000400000-0x0000000000424000-memory.exe
Resource
win10v2004-20231023-en
General
-
Target
4032-8-0x0000000000400000-0x0000000000424000-memory.dmp
-
Size
144KB
-
MD5
3b15bcd236e223417e7931da75adc45c
-
SHA1
91f53ca6de7709a1a64641b51b8f251dcda1f75f
-
SHA256
4d2bfefb6273c98a7d53ffc2a17d728ee5c14bcb84cf2a491446b44853685650
-
SHA512
4951138024c6e1699f7c19c8eb4c76243414fa37decfd3a6a5b4430c90d8e14b666e61b31c9e6fc76dc395b40d64871ed185f32a5630e67e3588533d86753327
-
SSDEEP
3072:ywDkHihhXdB4LtIfXW9Bb7Vbb7HeOa+wBvPCgbY:8c0oG99RbbsPLb
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
resultsurex.com - Port:
587 - Username:
[email protected] - Password:
d()&nzU1tC3+
Protocol: ftp- Host:
ftp://ftp.resultsurex.com/ - Port:
21 - Username:
[email protected] - Password:
[XH~0fB9c]@*
https://api.telegram.org/bot6783929306:AAFJU35OkwjDMHKdR2FUDQELnw67_grsAts/sendMessage?chat_id=5986156290
Signatures
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule sample family_snakekeylogger -
Snakekeylogger family
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
Processes:
resource 4032-8-0x0000000000400000-0x0000000000424000-memory.dmp
Files
-
4032-8-0x0000000000400000-0x0000000000424000-memory.dmp.exe windows:4 windows x86
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Sections
.text Size: 120KB - Virtual size: 119KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ