snakekeylogger | 6db83cda6f33d2cbc17c264e8526d0ad4039ef9cf8f50b7c378b86d1d5a074ed

Analysis

max time kernel
153s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b374dfe1fe2e394e0fafabbc72fc215.exe
Size

511KB
MD5

3b374dfe1fe2e394e0fafabbc72fc215
SHA1

e0a6bcf7ba2dede3262cb1924ed59b8254dcbb2f
SHA256

6db83cda6f33d2cbc17c264e8526d0ad4039ef9cf8f50b7c378b86d1d5a074ed
SHA512

fec3bad431fc014b961d239cd4ec79644989e34d2e03cad874ae79c269dc5e7a560730a27079d9ccf578cfb12ee2531a0ff967fb471096c2dcb8621c8ef23041
SSDEEP

12288:Xo9XY/GaSyb9EUHIfuM101SqO/tiT4ED7x+74JWHTx8PqyY6hj+ihXIu5l:/7fELu2gWRI

Score

10^/10

snakekeylogger zgrat keylogger rat stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
m$ExnQx8
Email To:
[email protected]

Signatures

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4608-9-0x0000000005900000-0x0000000005916000-memory.dmp	family_zgrat_v1

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/4184-10-0x0000000000400000-0x0000000000424000-memory.dmp	family_snakekeylogger
behavioral2/memory/4184-15-0x00000000051E0000-0x00000000051F0000-memory.dmp	family_snakekeylogger

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	checkip.dyndns.org
28	freegeoip.app
29	freegeoip.app

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4608 set thread context of 4184	4608	3b374dfe1fe2e394e0fafabbc72fc215.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4668	4184	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4184	3b374dfe1fe2e394e0fafabbc72fc215.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	3b374dfe1fe2e394e0fafabbc72fc215.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4184	4608	3b374dfe1fe2e394e0fafabbc72fc215.exe	91
PID 4608 wrote to memory of 4184	4608	3b374dfe1fe2e394e0fafabbc72fc215.exe	91
PID 4608 wrote to memory of 4184	4608	3b374dfe1fe2e394e0fafabbc72fc215.exe	91
PID 4608 wrote to memory of 4184	4608	3b374dfe1fe2e394e0fafabbc72fc215.exe	91
PID 4608 wrote to memory of 4184	4608	3b374dfe1fe2e394e0fafabbc72fc215.exe	91
PID 4608 wrote to memory of 4184	4608	3b374dfe1fe2e394e0fafabbc72fc215.exe	91
PID 4608 wrote to memory of 4184	4608	3b374dfe1fe2e394e0fafabbc72fc215.exe	91
PID 4608 wrote to memory of 4184	4608	3b374dfe1fe2e394e0fafabbc72fc215.exe	91

C:\Users\Admin\AppData\Local\Temp\3b374dfe1fe2e394e0fafabbc72fc215.exe
"C:\Users\Admin\AppData\Local\Temp\3b374dfe1fe2e394e0fafabbc72fc215.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\3b374dfe1fe2e394e0fafabbc72fc215.exe
  "C:\Users\Admin\AppData\Local\Temp\3b374dfe1fe2e394e0fafabbc72fc215.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 1828
    3⤵
    - Program crash
    PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4184 -ip 4184
1⤵
PID:536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3b374dfe1fe2e394e0fafabbc72fc215.exe.log

Filesize
886B

MD5
c20f5538a742328b529578351dc9c18a

SHA1
81ccedae485cc109b78ca630ca7d7968fcdbd84d

SHA256
5605a8572fd4c8fe7f5419f21aeccb2478f210d954e3688bab8abedfdad74f81

SHA512
e3d1ac8024905e09c12d26e7edb1117c0732f89f038251057738bba8e058b756c6718656f880265720dea2e217386ba5fbe2660044285980cb1b37931a90591d

Download Submit
memory/4184-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4184-16-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4184-15-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/4184-13-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4608-8-0x0000000005A20000-0x0000000005A5E000-memory.dmp

Filesize
248KB

Download
memory/4608-6-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/4608-7-0x00000000057A0000-0x00000000057BE000-memory.dmp

Filesize
120KB

Download
memory/4608-0-0x0000000000D40000-0x0000000000DC6000-memory.dmp

Filesize
536KB

Download
memory/4608-9-0x0000000005900000-0x0000000005916000-memory.dmp

Filesize
88KB

Download
memory/4608-5-0x0000000005880000-0x00000000058F6000-memory.dmp

Filesize
472KB

Download
memory/4608-4-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download
memory/4608-14-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4608-3-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/4608-2-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/4608-1-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download