Analysis
-
max time kernel
121s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
26/12/2023, 07:42
General
-
Target
5d35db3356de210a7087733bd889fe97.exe
-
Size
606KB
-
MD5
5d35db3356de210a7087733bd889fe97
-
SHA1
ed3330f9842f9f94dbd519bd6fa2cff2de5385c8
-
SHA256
9696e415875b7fd4bdc4b324e02fe329557fef7df34a3a66af1b6fc65f1c8fb2
-
SHA512
223a1acb73bc461b98eb4533074af9de06150d95ecb8aad335613ee1fc928210c1d72b23ca8f07fc084f4d789b8edaea304f5e5af45c96b772c8ab57be2380f4
-
SSDEEP
12288:mC+PU9LPU9aYnTR2oseFrzOsBgo0q4wMPrwWZbpFYcF8ylrk:mC7ErzOsBgo0q4wMPrwcpF5h
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Chukwudim28@ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d35db3356de210a7087733bd889fe97.exe"C:\Users\Admin\AppData\Local\Temp\5d35db3356de210a7087733bd889fe97.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BnPVuDZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F5A.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\5d35db3356de210a7087733bd889fe97.exe"C:\Users\Admin\AppData\Local\Temp\5d35db3356de210a7087733bd889fe97.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 15203⤵
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5662363cab557c4bd4594f75c07a283d2
SHA19d1d1b89b6dba10787deca02835e9dcfd3377fc5
SHA2569cf9fadd249ec0f9e1705811fb3856f35546b8010ab06b015dfd97a72c0d1bd7
SHA51220585a4789090ae62ceb0bf5c9570dcd8828eb31712fa9094aa941a005cf0ea7df88c0c7f5878fdb68aba76415b64a63803d039b21e4ec0b30e1e1bde4fa9263
-
Filesize
144KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
256KB
-
Filesize
632KB
-
Filesize
6.9MB
-
Filesize
168KB
-
Filesize
416KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
72KB