Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
17-04-2024 14:56
General
-
Target
9a51ed2069f54c90bac392ebb1081aa64dee9c2705df9944bc43db671c87dd94.exe
-
Size
735KB
-
MD5
4c386a3d7503f6c5e5bb18ea790839bf
-
SHA1
381687be4488cd4d9057e9f2ee908c4fd6cee57b
-
SHA256
9a51ed2069f54c90bac392ebb1081aa64dee9c2705df9944bc43db671c87dd94
-
SHA512
5cebdb1d62d5a44dbd30990d39a263853d0652f784218c39301c3f2f9963bd1941d88763cfa088ac90535e580aa013ec5faae83400cc2ee54a922390f5e85421
-
SSDEEP
12288:PAS8ufoWOkXnCLBittu4zY6zEsHLc/ZnBxti6t:DpOkgifuWzuCy
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.alualuminium.com.my - Port:
587 - Username:
admin@alualuminium.com.my - Password:
U8G4S13#8Zk$ - Email To:
ashref.majeed.ctl@gmail.com
http://varders.kozow.com:8081
http://aborters.duckdns.org:8081
http://anotherarmy.dns.army:8081
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a51ed2069f54c90bac392ebb1081aa64dee9c2705df9944bc43db671c87dd94.exe"C:\Users\Admin\AppData\Local\Temp\9a51ed2069f54c90bac392ebb1081aa64dee9c2705df9944bc43db671c87dd94.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1992-0-0x0000000000EF0000-0x0000000000FAE000-memory.dmpFilesize
760KB
-
memory/1992-1-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/1992-2-0x0000000004B40000-0x0000000004B80000-memory.dmpFilesize
256KB
-
memory/1992-3-0x00000000003B0000-0x00000000003C4000-memory.dmpFilesize
80KB
-
memory/1992-4-0x0000000000450000-0x000000000045A000-memory.dmpFilesize
40KB
-
memory/1992-5-0x0000000000460000-0x000000000046E000-memory.dmpFilesize
56KB
-
memory/1992-6-0x0000000005250000-0x00000000052C2000-memory.dmpFilesize
456KB
-
memory/1992-18-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/2668-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2668-10-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2668-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2668-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2668-14-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2668-16-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2668-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2668-19-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2668-20-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/2668-21-0x0000000004980000-0x00000000049C0000-memory.dmpFilesize
256KB
-
memory/2668-22-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/2668-23-0x0000000004980000-0x00000000049C0000-memory.dmpFilesize
256KB
-
memory/2668-24-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB