Analysis
-
max time kernel
36s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2023 09:44
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
-
Size
686KB
-
MD5
5a663a122c4d05a04fbe40571d2271aa
-
SHA1
f0e47c9a3b2bda06c706cb680f6f2efadb201520
-
SHA256
fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948
-
SHA512
a421723519a558abad954c13be517a3ec3ff945c197c7715c6b1746a7dd54a436a2846a2334651f4bfe19ad02c5a8a04809daa4d61e3c61d6490c5e3c7d67c06
-
SSDEEP
12288:S0gM1iEpS4TRIBS0eVR8IwE1WqoPTvSFxU5LlbI:SiRp3T+GXDXoPTvIALlbI
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4440-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral2/memory/4440-21-0x0000000005880000-0x0000000005890000-memory.dmp family_snakekeylogger -
Suspicious use of SetThreadContext 1 IoCs
Processes:
description pid process target process PID 4508 set thread context of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exepid process 4508 4508 4508 4508 4508 4508 4440 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe 4440 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exedescription pid process Token: SeDebugPrivilege 4508 Token: SeDebugPrivilege 4440 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
description pid process target process PID 4508 wrote to memory of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe PID 4508 wrote to memory of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe PID 4508 wrote to memory of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe PID 4508 wrote to memory of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe PID 4508 wrote to memory of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe PID 4508 wrote to memory of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe PID 4508 wrote to memory of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe PID 4508 wrote to memory of 4440 4508 NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe"1⤵PID:4508
-
C:\Users\Admin\AppData\Local\Temp\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1424
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:2132
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5c51a434658c309f92169b69419ad619a
SHA18cf1467a6f6185116d1d8df65f20f02ecb224c1d
SHA256ce2b026b74e0a33dbef8da05cfcde75de5022d89a8c86855a901073314941cc9
SHA5128b2a11bc86141405194338d85b9e746c46ef2305b1ae35b60019df45c5ef6abe1b62de153257bac6e3e21a09bbd2d726ed97f63c5f33acc1b580b805d125c861
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEAS.fde758d52b541296b4a6f68c65332fb1ae491b7d92723faafd252b3f46d9c948.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3