Analysis
-
max time kernel
158s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 03:31
Static task
static1
Behavioral task
behavioral1
Sample
033464d80692b6ffd9f6938d8dca921b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
033464d80692b6ffd9f6938d8dca921b.exe
Resource
win10v2004-20231215-en
General
-
Target
033464d80692b6ffd9f6938d8dca921b.exe
-
Size
806KB
-
MD5
033464d80692b6ffd9f6938d8dca921b
-
SHA1
5463c7b2e3928d029d9ef4e9ae834994b8650d13
-
SHA256
96007bdda9d12cf59fd2844843f62d3a86b85cb732ee76004e2f93ac38d8c8af
-
SHA512
3c439e201b019bf8a9965211abb10ededdae3c74559ce0fa6c476ddd09743aa280aca074be85d8a450be607fb4998fc1f39cffbd481bf0189bcdca5bddef0fd0
-
SSDEEP
3072:2lSqfUfx0swpErm4ymFvR1pKucd78GMupAuFP27hIbf1sPzUgIAzI9+mCz7C3BfU:NqAxspJ45j+uZXu9EIBsYg1Cg
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1880141509:AAHjseWsCVnzygKB72YGbdj6S0DpdeKfGSs/sendMessage?chat_id=565072597
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3192-9-0x00000000058A0000-0x00000000058B6000-memory.dmp family_zgrat_v1 -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2404-10-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 checkip.dyndns.org 38 freegeoip.app 39 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
033464d80692b6ffd9f6938d8dca921b.exedescription pid process target process PID 3192 set thread context of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2280 2404 WerFault.exe 033464d80692b6ffd9f6938d8dca921b.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
033464d80692b6ffd9f6938d8dca921b.exepid process 2404 033464d80692b6ffd9f6938d8dca921b.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
033464d80692b6ffd9f6938d8dca921b.exedescription pid process Token: SeDebugPrivilege 2404 033464d80692b6ffd9f6938d8dca921b.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
033464d80692b6ffd9f6938d8dca921b.exedescription pid process target process PID 3192 wrote to memory of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe PID 3192 wrote to memory of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe PID 3192 wrote to memory of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe PID 3192 wrote to memory of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe PID 3192 wrote to memory of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe PID 3192 wrote to memory of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe PID 3192 wrote to memory of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe PID 3192 wrote to memory of 2404 3192 033464d80692b6ffd9f6938d8dca921b.exe 033464d80692b6ffd9f6938d8dca921b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\033464d80692b6ffd9f6938d8dca921b.exe"C:\Users\Admin\AppData\Local\Temp\033464d80692b6ffd9f6938d8dca921b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Users\Admin\AppData\Local\Temp\033464d80692b6ffd9f6938d8dca921b.exe"C:\Users\Admin\AppData\Local\Temp\033464d80692b6ffd9f6938d8dca921b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 18163⤵
- Program crash
PID:2280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2404 -ip 24041⤵PID:4124
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\033464d80692b6ffd9f6938d8dca921b.exe.log
Filesize886B
MD5e15936e36b221de74505dd8f8ce05d91
SHA1dfe096b87c4f9c82ef96d8680e8dc8d6ab0e876d
SHA2564aba5e427d42a82df10ce9e5c5869541ff843ef391fea5a25fb41c2d908db868
SHA512d2cf14cac375edeaa8be04749f910e5809a2b3daf20a47668ce4e4ee7935b87f89d817d71659596c5664a878666df1b43bbef6b9f91636e564a15452735d67bd