Analysis
-
max time kernel
40s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 08:15
Static task
static1
Behavioral task
behavioral1
Sample
115f6d94f2fd77eda6b81780e8051f0d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
115f6d94f2fd77eda6b81780e8051f0d.exe
Resource
win10v2004-20231215-en
General
-
Target
115f6d94f2fd77eda6b81780e8051f0d.exe
-
Size
665KB
-
MD5
115f6d94f2fd77eda6b81780e8051f0d
-
SHA1
984bc609ef9c5da154a3d442051f3a9a0725ee23
-
SHA256
486032726bf8f655211586986bdc0e49f0149c0a85cfaebf1ff8c28e0587bc85
-
SHA512
f4c00cbc727885c482a752322844775fcbf854c1607966654307e9c9077060689050a5326bbacee278c4e04024a29f945a5622384c788d9f4f65a50f4ad035b3
-
SSDEEP
12288:tCtQvsls8COsBgo0q4wM90bVCW1VaZ3YDeoyi8hJHf5gCyKtytmLa:tCtQvwCOsBgo0q4wMSb31VaVUDyiAKCc
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Chukwudim28@ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3212-18-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral2/memory/1172-8-0x0000000005340000-0x0000000005352000-memory.dmp CustAttr -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 114 freegeoip.app 115 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 388 3212 WerFault.exe 115f6d94f2fd77eda6b81780e8051f0d.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\115f6d94f2fd77eda6b81780e8051f0d.exe"C:\Users\Admin\AppData\Local\Temp\115f6d94f2fd77eda6b81780e8051f0d.exe"1⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\115f6d94f2fd77eda6b81780e8051f0d.exe"C:\Users\Admin\AppData\Local\Temp\115f6d94f2fd77eda6b81780e8051f0d.exe"2⤵PID:3212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 17883⤵
- Program crash
PID:388 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IcgsvUnXJyQrdo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1B3.tmp"2⤵
- Creates scheduled task(s)
PID:4956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3212 -ip 32121⤵PID:3584