Analysis
-
max time kernel
59s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2024, 08:31
Static task
static1
Behavioral task
behavioral1
Sample
81f70b54b7d3636313ab065145c42e5a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
81f70b54b7d3636313ab065145c42e5a.exe
Resource
win10v2004-20231222-en
General
-
Target
81f70b54b7d3636313ab065145c42e5a.exe
-
Size
569KB
-
MD5
81f70b54b7d3636313ab065145c42e5a
-
SHA1
95e92f8dd3f90fdbd2f9b39ff5467cf108721b96
-
SHA256
d5b2a38229346acf8eea0d20c4687f9f59627dcbf09c12d8ea5eb77e604653b6
-
SHA512
924be32d261587bed59b2e85380688e9f0ab70161b407dc32f1e406e2108654fd393fff877fdc09abaf9eed3493926354516d2a506048f48a94d152fc87e2fdd
-
SSDEEP
6144:JvLv+4SxVYycTWfDL6hBmgpq2aCnwnhNXu8doLp9be6tS7imKXIlWBS38KNrG0l1:pSPTKhgg9UNXuuoLLbe6g3lDfA0l
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
bh-alpha.bergeserver.com - Port:
587 - Username:
[email protected] - Password:
Hackermic11@ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/1448-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 42 checkip.dyndns.org 45 freegeoip.app 46 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4000 set thread context of 1448 4000 81f70b54b7d3636313ab065145c42e5a.exe 98 -
Program crash 1 IoCs
pid pid_target Process procid_target 2792 1448 WerFault.exe 98 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1448 81f70b54b7d3636313ab065145c42e5a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1448 81f70b54b7d3636313ab065145c42e5a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4000 wrote to memory of 1448 4000 81f70b54b7d3636313ab065145c42e5a.exe 98 PID 4000 wrote to memory of 1448 4000 81f70b54b7d3636313ab065145c42e5a.exe 98 PID 4000 wrote to memory of 1448 4000 81f70b54b7d3636313ab065145c42e5a.exe 98 PID 4000 wrote to memory of 1448 4000 81f70b54b7d3636313ab065145c42e5a.exe 98 PID 4000 wrote to memory of 1448 4000 81f70b54b7d3636313ab065145c42e5a.exe 98 PID 4000 wrote to memory of 1448 4000 81f70b54b7d3636313ab065145c42e5a.exe 98 PID 4000 wrote to memory of 1448 4000 81f70b54b7d3636313ab065145c42e5a.exe 98 PID 4000 wrote to memory of 1448 4000 81f70b54b7d3636313ab065145c42e5a.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\81f70b54b7d3636313ab065145c42e5a.exe"C:\Users\Admin\AppData\Local\Temp\81f70b54b7d3636313ab065145c42e5a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\81f70b54b7d3636313ab065145c42e5a.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 17843⤵
- Program crash
PID:2792
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1448 -ip 14481⤵PID:2840
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\81f70b54b7d3636313ab065145c42e5a.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3