Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/01/2024, 22:19
Static task
static1
Behavioral task
behavioral1
Sample
82b51cd131dfd15563e352b5ee83163c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
82b51cd131dfd15563e352b5ee83163c.exe
Resource
win10v2004-20231215-en
General
-
Target
82b51cd131dfd15563e352b5ee83163c.exe
-
Size
1.1MB
-
MD5
82b51cd131dfd15563e352b5ee83163c
-
SHA1
72b3d1a8808cab246e32fe657e840189d3ca7380
-
SHA256
31b5000cf78635731bfe23c558dfe5b7f5319ee14fc34864a51e6cc125647a41
-
SHA512
e0140f34ba56ec152f1cc6add6f834861ba6d38bcf08cbd6a03d8c27b1e0bd11701949c2925f173d3b8691db86a3160991823e34539e8d3a49a03f865b2dce2b
-
SSDEEP
24576:07ATQeuFFYTblhBUunsif1932vJafiiKhxxs:Qyf1Ur073BfiiKZs
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
webmail.aquariushotelboutique.com - Port:
25 - Username:
[email protected] - Password:
6)fvPIxcEVwT - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
resource yara_rule behavioral1/memory/2548-10-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2548-11-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2548-14-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2548-16-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2548-19-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/2548-21-0x0000000004BC0000-0x0000000004C00000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2416 set thread context of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 -
Program crash 1 IoCs
pid pid_target Process procid_target 908 2548 WerFault.exe 32 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2416 82b51cd131dfd15563e352b5ee83163c.exe 2416 82b51cd131dfd15563e352b5ee83163c.exe 2548 82b51cd131dfd15563e352b5ee83163c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2416 82b51cd131dfd15563e352b5ee83163c.exe Token: SeDebugPrivilege 2548 82b51cd131dfd15563e352b5ee83163c.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2532 2416 82b51cd131dfd15563e352b5ee83163c.exe 30 PID 2416 wrote to memory of 2532 2416 82b51cd131dfd15563e352b5ee83163c.exe 30 PID 2416 wrote to memory of 2532 2416 82b51cd131dfd15563e352b5ee83163c.exe 30 PID 2416 wrote to memory of 2532 2416 82b51cd131dfd15563e352b5ee83163c.exe 30 PID 2416 wrote to memory of 2528 2416 82b51cd131dfd15563e352b5ee83163c.exe 31 PID 2416 wrote to memory of 2528 2416 82b51cd131dfd15563e352b5ee83163c.exe 31 PID 2416 wrote to memory of 2528 2416 82b51cd131dfd15563e352b5ee83163c.exe 31 PID 2416 wrote to memory of 2528 2416 82b51cd131dfd15563e352b5ee83163c.exe 31 PID 2416 wrote to memory of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 PID 2416 wrote to memory of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 PID 2416 wrote to memory of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 PID 2416 wrote to memory of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 PID 2416 wrote to memory of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 PID 2416 wrote to memory of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 PID 2416 wrote to memory of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 PID 2416 wrote to memory of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 PID 2416 wrote to memory of 2548 2416 82b51cd131dfd15563e352b5ee83163c.exe 32 PID 2548 wrote to memory of 908 2548 82b51cd131dfd15563e352b5ee83163c.exe 33 PID 2548 wrote to memory of 908 2548 82b51cd131dfd15563e352b5ee83163c.exe 33 PID 2548 wrote to memory of 908 2548 82b51cd131dfd15563e352b5ee83163c.exe 33 PID 2548 wrote to memory of 908 2548 82b51cd131dfd15563e352b5ee83163c.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\82b51cd131dfd15563e352b5ee83163c.exe"C:\Users\Admin\AppData\Local\Temp\82b51cd131dfd15563e352b5ee83163c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\82b51cd131dfd15563e352b5ee83163c.exe"C:\Users\Admin\AppData\Local\Temp\82b51cd131dfd15563e352b5ee83163c.exe"2⤵PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\82b51cd131dfd15563e352b5ee83163c.exe"C:\Users\Admin\AppData\Local\Temp\82b51cd131dfd15563e352b5ee83163c.exe"2⤵PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\82b51cd131dfd15563e352b5ee83163c.exe"C:\Users\Admin\AppData\Local\Temp\82b51cd131dfd15563e352b5ee83163c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 16163⤵
- Program crash
PID:908
-
-