Analysis
-
max time kernel
91s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 11:08
Static task
static1
Behavioral task
behavioral1
Sample
19aa66f2ca96ec4579ee920e9ec1c73c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
19aa66f2ca96ec4579ee920e9ec1c73c.exe
Resource
win10v2004-20231222-en
General
-
Target
19aa66f2ca96ec4579ee920e9ec1c73c.exe
-
Size
433KB
-
MD5
19aa66f2ca96ec4579ee920e9ec1c73c
-
SHA1
fca845bb38cbd038912a9150566a13f5af2f1d4e
-
SHA256
e75e132f419523529e59356445a2f5bb1a031281344a85598ba5059e608f8549
-
SHA512
a3e3e76e3198bccd60d1235c403e108fad8bf674b5cead354b2a0e2e0439a80c13b18065ca41cd674b62599f805a862ab1c704c9ee01f22219c12131cf385581
-
SSDEEP
6144:w09XrpG6Bcwqh3SB4Rb3DggpBMDPnGQ5njdynEqLl4p8dVRWuR4AY+SoKm6+hwou:wAdG6OE6YNDPlh43lFVRWuGAYqu
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.sayimkalip.com - Port:
587 - Username:
[email protected] - Password:
3edcvfr4** - Email To:
[email protected]
https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4792-3-0x0000000000700000-0x0000000000724000-memory.dmp family_snakekeylogger behavioral2/memory/4792-7-0x0000000005070000-0x0000000005080000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 30 freegeoip.app 31 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
19aa66f2ca96ec4579ee920e9ec1c73c.exedescription pid process target process PID 2236 set thread context of 4792 2236 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2212 2236 WerFault.exe 19aa66f2ca96ec4579ee920e9ec1c73c.exe 3320 4792 WerFault.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 4792 MSBuild.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
19aa66f2ca96ec4579ee920e9ec1c73c.exepid process 2236 19aa66f2ca96ec4579ee920e9ec1c73c.exe 2236 19aa66f2ca96ec4579ee920e9ec1c73c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 4792 MSBuild.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
19aa66f2ca96ec4579ee920e9ec1c73c.exedescription pid process target process PID 2236 wrote to memory of 4792 2236 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe PID 2236 wrote to memory of 4792 2236 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe PID 2236 wrote to memory of 4792 2236 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe PID 2236 wrote to memory of 4792 2236 19aa66f2ca96ec4579ee920e9ec1c73c.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 17203⤵
- Program crash
PID:3320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 3242⤵
- Program crash
PID:2212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2236 -ip 22361⤵PID:1044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4792 -ip 47921⤵PID:2608