Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2024, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
804c2fb52752597cd0fdae9838df7d08.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
804c2fb52752597cd0fdae9838df7d08.exe
Resource
win10v2004-20231215-en
General
-
Target
804c2fb52752597cd0fdae9838df7d08.exe
-
Size
893KB
-
MD5
804c2fb52752597cd0fdae9838df7d08
-
SHA1
a5ebf568c0e7f81a5f6854ed9a690a948f804dd2
-
SHA256
0a101b8b739c481e387e2daf5d85aaa93cf0188ff798233817e2e349b7ac1fe9
-
SHA512
dfea22fcd622b5dd02f095e9148c68c9d135c654b1974a163253f783199895f58684b55b7994ba4e227c0f25463a1795460f97a94d3c92e421d5afe7819e6f27
-
SSDEEP
12288:sJtPdGVDaHK7zTe++KINAeU+dy7fOhL8sCTqegHCcxvKIHWBSGm:sJYO+VluZL8sCTyHlZdH2S
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.trellaborg.com - Port:
587 - Username:
[email protected] - Password:
p4+vh#8Puf*N - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/2804-18-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 804c2fb52752597cd0fdae9838df7d08.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 freegeoip.app 49 freegeoip.app 46 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3292 set thread context of 2804 3292 804c2fb52752597cd0fdae9838df7d08.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3636 2804 WerFault.exe 95 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2968 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3292 804c2fb52752597cd0fdae9838df7d08.exe 3292 804c2fb52752597cd0fdae9838df7d08.exe 2804 804c2fb52752597cd0fdae9838df7d08.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3292 804c2fb52752597cd0fdae9838df7d08.exe Token: SeDebugPrivilege 2804 804c2fb52752597cd0fdae9838df7d08.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3292 wrote to memory of 2968 3292 804c2fb52752597cd0fdae9838df7d08.exe 92 PID 3292 wrote to memory of 2968 3292 804c2fb52752597cd0fdae9838df7d08.exe 92 PID 3292 wrote to memory of 2968 3292 804c2fb52752597cd0fdae9838df7d08.exe 92 PID 3292 wrote to memory of 4764 3292 804c2fb52752597cd0fdae9838df7d08.exe 94 PID 3292 wrote to memory of 4764 3292 804c2fb52752597cd0fdae9838df7d08.exe 94 PID 3292 wrote to memory of 4764 3292 804c2fb52752597cd0fdae9838df7d08.exe 94 PID 3292 wrote to memory of 2804 3292 804c2fb52752597cd0fdae9838df7d08.exe 95 PID 3292 wrote to memory of 2804 3292 804c2fb52752597cd0fdae9838df7d08.exe 95 PID 3292 wrote to memory of 2804 3292 804c2fb52752597cd0fdae9838df7d08.exe 95 PID 3292 wrote to memory of 2804 3292 804c2fb52752597cd0fdae9838df7d08.exe 95 PID 3292 wrote to memory of 2804 3292 804c2fb52752597cd0fdae9838df7d08.exe 95 PID 3292 wrote to memory of 2804 3292 804c2fb52752597cd0fdae9838df7d08.exe 95 PID 3292 wrote to memory of 2804 3292 804c2fb52752597cd0fdae9838df7d08.exe 95 PID 3292 wrote to memory of 2804 3292 804c2fb52752597cd0fdae9838df7d08.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\804c2fb52752597cd0fdae9838df7d08.exe"C:\Users\Admin\AppData\Local\Temp\804c2fb52752597cd0fdae9838df7d08.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BcGxjlRX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp37A5.tmp"2⤵
- Creates scheduled task(s)
PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\804c2fb52752597cd0fdae9838df7d08.exe"C:\Users\Admin\AppData\Local\Temp\804c2fb52752597cd0fdae9838df7d08.exe"2⤵PID:4764
-
-
C:\Users\Admin\AppData\Local\Temp\804c2fb52752597cd0fdae9838df7d08.exe"C:\Users\Admin\AppData\Local\Temp\804c2fb52752597cd0fdae9838df7d08.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 18283⤵
- Program crash
PID:3636
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2804 -ip 28041⤵PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\804c2fb52752597cd0fdae9838df7d08.exe.log
Filesize1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
1KB
MD512212bb8897ac60f24eb6d66e8da2bb2
SHA1fdc05833eb61327650c95849fcd90e0ce6a2d490
SHA256fb15986843865f1530137c142b2a8ebe1c16fefe9f5ddcc6889125a553f4c9cb
SHA512fecb0904b82a51ff7ba69127d516638367c0e4d1d5cb75c33b9b9bfde7978d5e4393b6406c72b3a1253cfdc1da7a7cdd32ec2a235e693c8a33c7ba7b1a1cf231