Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 23:29
Static task
static1
Behavioral task
behavioral1
Sample
19aa66f2ca96ec4579ee920e9ec1c73c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
19aa66f2ca96ec4579ee920e9ec1c73c.exe
Resource
win10v2004-20231215-en
General
-
Target
19aa66f2ca96ec4579ee920e9ec1c73c.exe
-
Size
433KB
-
MD5
19aa66f2ca96ec4579ee920e9ec1c73c
-
SHA1
fca845bb38cbd038912a9150566a13f5af2f1d4e
-
SHA256
e75e132f419523529e59356445a2f5bb1a031281344a85598ba5059e608f8549
-
SHA512
a3e3e76e3198bccd60d1235c403e108fad8bf674b5cead354b2a0e2e0439a80c13b18065ca41cd674b62599f805a862ab1c704c9ee01f22219c12131cf385581
-
SSDEEP
6144:w09XrpG6Bcwqh3SB4Rb3DggpBMDPnGQ5njdynEqLl4p8dVRWuR4AY+SoKm6+hwou:wAdG6OE6YNDPlh43lFVRWuGAYqu
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.sayimkalip.com - Port:
587 - Username:
[email protected] - Password:
3edcvfr4** - Email To:
[email protected]
https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2044-3-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 51 freegeoip.app 36 checkip.dyndns.org 48 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
19aa66f2ca96ec4579ee920e9ec1c73c.exedescription pid process target process PID 3728 set thread context of 2044 3728 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 440 2044 WerFault.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 2044 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
19aa66f2ca96ec4579ee920e9ec1c73c.exepid process 3728 19aa66f2ca96ec4579ee920e9ec1c73c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2044 MSBuild.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
19aa66f2ca96ec4579ee920e9ec1c73c.exedescription pid process target process PID 3728 wrote to memory of 2044 3728 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe PID 3728 wrote to memory of 2044 3728 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe PID 3728 wrote to memory of 2044 3728 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe PID 3728 wrote to memory of 2044 3728 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 17843⤵
- Program crash
PID:440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2044 -ip 20441⤵PID:2936