Overview

overview

10

Static

static

3

Product List.exe

windows7-x64

10

Product List.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2023 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Product List.exe

  • Size

    1.0MB

  • MD5

    5859deb7a9114c494516b03411c9165d

  • SHA1

    a1c5aec26f47eb5d76d9d80048c5fed2ad75ff2a

  • SHA256

    e210886b7dd377ce7c5e9642bf043bf17c8943adabf2a940ec6844f286587629

  • SHA512

    114957cc064026bf39b42bd4934aa8e660098b15c3550a328e5912af83237fa34676ed0ad27b25b4979817279f4eb805f7cd99ba8c131a5f75867988e7ea1255

  • SSDEEP

    12288:sQ4fzMJr5vyagVsQVo2T4iOAS3De5EbqDIe0OLKcWYEb:T4fzMT3gVs8o8OAAe0OlC

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Product List.exe
    "C:\Users\Admin\AppData\Local\Temp\Product List.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:3520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3520-0-0x00000000009D0000-0x0000000000ADA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3520-1-0x0000000075040000-0x00000000757F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3520-2-0x0000000005B10000-0x00000000060B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3520-3-0x00000000054B0000-0x0000000005542000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3520-4-0x0000000005480000-0x0000000005490000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3520-5-0x0000000005590000-0x000000000559A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3520-6-0x0000000005AD0000-0x0000000005AE8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3520-7-0x0000000005AF0000-0x0000000005AF6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3520-8-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3520-9-0x0000000007020000-0x0000000007080000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3520-10-0x0000000008120000-0x00000000081BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3520-11-0x0000000075040000-0x00000000757F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3520-12-0x0000000005480000-0x0000000005490000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3520-13-0x0000000008080000-0x00000000080A6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3520-14-0x0000000008E90000-0x0000000008EE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3520-15-0x000000000B3A0000-0x000000000B562000-memory.dmp

    Filesize

    1.8MB

    Download