Overview

overview

10

Static

static

3

19aa66f2ca...3c.exe

windows7-x64

1

19aa66f2ca...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2023 23:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19aa66f2ca96ec4579ee920e9ec1c73c.exe

  • Size

    433KB

  • MD5

    19aa66f2ca96ec4579ee920e9ec1c73c

  • SHA1

    fca845bb38cbd038912a9150566a13f5af2f1d4e

  • SHA256

    e75e132f419523529e59356445a2f5bb1a031281344a85598ba5059e608f8549

  • SHA512

    a3e3e76e3198bccd60d1235c403e108fad8bf674b5cead354b2a0e2e0439a80c13b18065ca41cd674b62599f805a862ab1c704c9ee01f22219c12131cf385581

  • SSDEEP

    6144:w09XrpG6Bcwqh3SB4Rb3DggpBMDPnGQ5njdynEqLl4p8dVRWuR4AY+SoKm6+hwou:wAdG6OE6YNDPlh43lFVRWuGAYqu

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe
    "C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1784
        3⤵
        • Program crash
        PID:440
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2044 -ip 2044
    1⤵
      PID:2936

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2044-3-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2044-4-0x0000000074F50000-0x0000000075700000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2044-5-0x0000000005690000-0x0000000005C34000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2044-6-0x0000000005180000-0x000000000521C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2044-7-0x0000000005450000-0x0000000005460000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2044-8-0x0000000074F50000-0x0000000075700000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3728-1-0x00000000000A0000-0x00000000001A0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3728-2-0x0000000000640000-0x0000000000642000-memory.dmp

      Filesize

      8KB

      Download