Analysis
-
max time kernel
123s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2023 19:17
Static task
static1
Behavioral task
behavioral1
Sample
Productlist4894216.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Productlist4894216.exe
Resource
win10v2004-20231127-en
General
-
Target
Productlist4894216.exe
-
Size
518KB
-
MD5
ad765d2ef67e4db961aa06c02b8f25cd
-
SHA1
4785d4998971c1719d064f62f7c939064eb7750c
-
SHA256
4da4ec8a7a3b648539a6c58926876bd08bafed5329b52e05a0da9d42365ed229
-
SHA512
9e1e2208cb7182be4ef2ec3251a97791d5ae39cd2938a54558f3b3c9c76980b3d55dc00c2b88c10fdedd2969476aa8530a5f0e4b359dbceef37e7d41dbb65349
-
SSDEEP
12288:H45+po2oe0Qr02iShrPHNKSBZlY7f79reeEmA6:m+pJPdrfiSps7f7pbT9
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.belt-tech.com.my - Port:
587 - Username:
[email protected] - Password:
Beltechpg@1234 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4008-13-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral2/memory/4008-16-0x0000000004B60000-0x0000000004B70000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Productlist4894216.exedescription pid process target process PID 2000 set thread context of 4008 2000 Productlist4894216.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegSvcs.exepid process 4008 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4008 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Productlist4894216.exedescription pid process target process PID 2000 wrote to memory of 4008 2000 Productlist4894216.exe RegSvcs.exe PID 2000 wrote to memory of 4008 2000 Productlist4894216.exe RegSvcs.exe PID 2000 wrote to memory of 4008 2000 Productlist4894216.exe RegSvcs.exe PID 2000 wrote to memory of 4008 2000 Productlist4894216.exe RegSvcs.exe PID 2000 wrote to memory of 4008 2000 Productlist4894216.exe RegSvcs.exe PID 2000 wrote to memory of 4008 2000 Productlist4894216.exe RegSvcs.exe PID 2000 wrote to memory of 4008 2000 Productlist4894216.exe RegSvcs.exe PID 2000 wrote to memory of 4008 2000 Productlist4894216.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Productlist4894216.exe"C:\Users\Admin\AppData\Local\Temp\Productlist4894216.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008