Overview

overview

10

Static

static

3

19aa66f2ca...3c.exe

windows7-x64

1

19aa66f2ca...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19aa66f2ca96ec4579ee920e9ec1c73c.exe

  • Size

    433KB

  • MD5

    19aa66f2ca96ec4579ee920e9ec1c73c

  • SHA1

    fca845bb38cbd038912a9150566a13f5af2f1d4e

  • SHA256

    e75e132f419523529e59356445a2f5bb1a031281344a85598ba5059e608f8549

  • SHA512

    a3e3e76e3198bccd60d1235c403e108fad8bf674b5cead354b2a0e2e0439a80c13b18065ca41cd674b62599f805a862ab1c704c9ee01f22219c12131cf385581

  • SSDEEP

    6144:w09XrpG6Bcwqh3SB4Rb3DggpBMDPnGQ5njdynEqLl4p8dVRWuR4AY+SoKm6+hwou:wAdG6OE6YNDPlh43lFVRWuGAYqu

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot1483662500:AAGrMuxJV05-It-ke-xXVV6-R6IAtETpJb0/sendMessage?chat_id=1300181783

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe
    "C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\19aa66f2ca96ec4579ee920e9ec1c73c.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1720
        3⤵
        • Program crash
        PID:3320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 324
      2⤵
      • Program crash
      PID:2212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2236 -ip 2236
    1⤵
      PID:1044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4792 -ip 4792
      1⤵
        PID:2608

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2236-1-0x00000000000A0000-0x00000000001A0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2236-2-0x0000000003800000-0x0000000003802000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4792-3-0x0000000000700000-0x0000000000724000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4792-4-0x0000000075290000-0x0000000075A40000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-5-0x00000000053B0000-0x0000000005954000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4792-6-0x0000000004D50000-0x0000000004DEC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4792-7-0x0000000005070000-0x0000000005080000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4792-8-0x0000000075290000-0x0000000075A40000-memory.dmp

        Filesize

        7.7MB

        Download