Analysis
-
max time kernel
25s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2023 08:42
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
-
Size
616KB
-
MD5
77521173381682b5a1deb286bce27bf4
-
SHA1
2ad56680cb0c821b18c269c63f4eeeb770140800
-
SHA256
1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6
-
SHA512
5366df45795f970f1b17113caf65c1e677b44da372cc85159fc4de4d8d32a08798aa4120cac956014c75fb71fce53ddfe8e76075b66c5f24e50a8f4a12254e53
-
SSDEEP
12288:h36N/bxyuAFnSz0cYMSE7a45naENKqIfPbY9QPNTURftb2pLuxQ:h3gqSznYMP5MbskYVapuQ
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.belt-tech.com.my - Port:
587 - Username:
[email protected] - Password:
Beltechpg@1234 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3280-46-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exepid process 2712 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe 2712 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe 2712 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exedescription pid process Token: SeDebugPrivilege 2712 NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"2⤵PID:1476
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BwmGnyPcYGIy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44A5.tmp"2⤵
- Creates scheduled task(s)
PID:956 -
C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1de5d25aecac6b32b06fe38549376748d098fd43abb5c23f73ee9ddb780080d6.exe"2⤵PID:3280
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BwmGnyPcYGIy.exe"2⤵PID:2988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD50c38019f9222bb9951d710ff3518d9e4
SHA1fd3959df0e93f0cf2ed955a0a08e4751f95f9a07
SHA256342599d3be1e98fd5afece0ee7183999e22c4b010043cc14ecd3e65eab880445
SHA5121f6cd656bdec77dab1344cd6839037f824442f9182f1ff7df1830d05ba97f73a324c2e31fc8ee2c1d7daa37ca6fbc888d83a373c0f6a31fbfa095243e34f33dd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD574ae9823f7d3ea15997899db2b8d213e
SHA133ec554dd10efea22d7df6c3ad82ac1d1f245d81
SHA256489c7a7125fd6679dc5a7b375e0afba0f1bf96ef85477881766b75b78b584169
SHA5123c8b6fd53047a7d75515360302c914693731e95b842cfd63ebc808653177af2bd3ce2df09c5b1ccdd641ed8b5f426e9ed8a6c0ab7b53aae90eb03e2f8dcb7d65