Overview

overview

10

Static

static

3

1af4b1e67d...37.exe

windows7-x64

10

1af4b1e67d...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 14:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe

  • Size

    525KB

  • MD5

    3138b63ef0d439ebc2e631452307c089

  • SHA1

    176b629248c486842e03a897192dbc6043a57fe5

  • SHA256

    1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837

  • SHA512

    f83dcb33c5777d9efc9100705761786a7d1dada83331866a95fbd3042357f7d7b87aa36cc1dc7fcbe8e9af4118bdd1cd5e2734366c1cc7d1c85b95be8c6767c0

  • SSDEEP

    12288:/ytros3iYd2DGhjsTJWJHJ+HgyJsMgqFyaHs:/WosNDdRJHcHZJt

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

http://varders.kozow.com:8081

http://aborters.duckdns.org:8081

http://anotherarmy.dns.army:8081

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe
    "C:\Users\Admin\AppData\Local\Temp\1af4b1e67dee34e1ce541150c83e1be4f75766d47ecebf4b476cb08aa04fa837.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4048
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1568
        3⤵
        • Program crash
        PID:3924
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4048 -ip 4048
    1⤵
      PID:4944

    Network

    • flag-us
      DNS
      22.177.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      22.177.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.dual-a-0034.a-msedge.net
      g-bing-com.dual-a-0034.a-msedge.net
      IN CNAME
      dual-a-0034.a-msedge.net
      dual-a-0034.a-msedge.net
      IN A
      204.79.197.237
      dual-a-0034.a-msedge.net
      IN A
      13.107.21.237
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=143F811A1C4968CD24EF957E1DA9692F; domain=.bing.com; expires=Mon, 12-May-2025 14:56:45 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: A8BD85FDACBA4B1C825F0D19CB6E4037 Ref B: LON04EDGE1210 Ref C: 2024-04-17T14:56:45Z
      date: Wed, 17 Apr 2024 14:56:44 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=143F811A1C4968CD24EF957E1DA9692F
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=iaOwrbZ-U-dEJADinE5H4-M-ka6CUzeTw3LjdXFms78; domain=.bing.com; expires=Mon, 12-May-2025 14:56:45 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 34FE16EE976848BFB47263CA8D033D8A Ref B: LON04EDGE1210 Ref C: 2024-04-17T14:56:45Z
      date: Wed, 17 Apr 2024 14:56:44 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid=
      Remote address:
      204.79.197.237:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=143F811A1C4968CD24EF957E1DA9692F; MSPTC=iaOwrbZ-U-dEJADinE5H4-M-ka6CUzeTw3LjdXFms78
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: A6A2C15F4F87402B8B7868E28BD058E8 Ref B: LON04EDGE1210 Ref C: 2024-04-17T14:56:45Z
      date: Wed, 17 Apr 2024 14:56:44 GMT
    • flag-us
      DNS
      91.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      91.90.14.23.in-addr.arpa
      IN PTR
      Response
      91.90.14.23.in-addr.arpa
      IN PTR
      a23-14-90-91deploystaticakamaitechnologiescom
    • flag-us
      DNS
      91.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      91.90.14.23.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      91.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      91.90.14.23.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      91.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      91.90.14.23.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      237.197.79.204.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      237.197.79.204.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      241.154.82.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.154.82.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      163.233.34.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      163.233.34.23.in-addr.arpa
      IN PTR
      Response
      163.233.34.23.in-addr.arpa
      IN PTR
      a23-34-233-163deploystaticakamaitechnologiescom
    • flag-us
      DNS
      26.35.223.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.35.223.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      checkip.dyndns.org
      RegAsm.exe
      Remote address:
      8.8.8.8:53
      Request
      checkip.dyndns.org
      IN A
      Response
      checkip.dyndns.org
      IN CNAME
      checkip.dyndns.com
      checkip.dyndns.com
      IN A
      193.122.6.168
      checkip.dyndns.com
      IN A
      132.226.8.169
      checkip.dyndns.com
      IN A
      158.101.44.242
      checkip.dyndns.com
      IN A
      132.226.247.73
      checkip.dyndns.com
      IN A
      193.122.130.0
    • flag-de
      GET
      http://checkip.dyndns.org/
      RegAsm.exe
      Remote address:
      193.122.6.168:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 502 Bad Gateway
      Date: Wed, 17 Apr 2024 14:57:03 GMT
      Content-Type: text/html
      Content-Length: 547
      Connection: keep-alive
      X-Request-ID: e9ec3ef308c00ead15db0bdbedeee0fd
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      82.90.14.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      82.90.14.23.in-addr.arpa
      IN PTR
      Response
      82.90.14.23.in-addr.arpa
      IN PTR
      a23-14-90-82deploystaticakamaitechnologiescom
    • flag-us
      DNS
      13.179.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.179.89.13.in-addr.arpa
      IN PTR
      Response
    • 204.79.197.237:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid=
      tls, http2
      2.2kB
       9.2kB
       23
      18

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=d5074bce810949fdabea2842c29667c7&localId=w:6B64A61F-3845-A817-60EE-6065BD62B10E&deviceId=6825832441214664&anid=

      HTTP Response

      204
    • 193.122.6.168:80
      http://checkip.dyndns.org/
      http
      RegAsm.exe
      381 B
       862 B
       5
      3

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      502
    • 8.8.8.8:53
      22.177.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      22.177.190.20.in-addr.arpa

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       151 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      204.79.197.237
      13.107.21.237

    • 8.8.8.8:53
      91.90.14.23.in-addr.arpa
      dns
      280 B
       133 B
       4
      1

      DNS Request

      91.90.14.23.in-addr.arpa

      DNS Request

      91.90.14.23.in-addr.arpa

      DNS Request

      91.90.14.23.in-addr.arpa

      DNS Request

      91.90.14.23.in-addr.arpa

    • 8.8.8.8:53
      237.197.79.204.in-addr.arpa
      dns
      292 B
       143 B
       4
      1

      DNS Request

      237.197.79.204.in-addr.arpa

      DNS Request

      237.197.79.204.in-addr.arpa

      DNS Request

      237.197.79.204.in-addr.arpa

      DNS Request

      237.197.79.204.in-addr.arpa

    • 8.8.8.8:53
      241.154.82.20.in-addr.arpa
      dns
      288 B
       158 B
       4
      1

      DNS Request

      241.154.82.20.in-addr.arpa

      DNS Request

      241.154.82.20.in-addr.arpa

      DNS Request

      241.154.82.20.in-addr.arpa

      DNS Request

      241.154.82.20.in-addr.arpa

    • 8.8.8.8:53
      163.233.34.23.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      163.233.34.23.in-addr.arpa

    • 8.8.8.8:53
      26.35.223.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      26.35.223.20.in-addr.arpa

    • 8.8.8.8:53
      checkip.dyndns.org
      dns
      RegAsm.exe
      64 B
       176 B
       1
      1

      DNS Request

      checkip.dyndns.org

      DNS Response

      193.122.6.168
      132.226.8.169
      158.101.44.242
      132.226.247.73
      193.122.130.0

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      210 B
       156 B
       3
      1

      DNS Request

      50.23.12.20.in-addr.arpa

      DNS Request

      50.23.12.20.in-addr.arpa

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      144 B
       146 B
       2
      1

      DNS Request

      15.164.165.52.in-addr.arpa

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      82.90.14.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      82.90.14.23.in-addr.arpa

    • 8.8.8.8:53
      13.179.89.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      13.179.89.13.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2728-6-0x0000000005410000-0x00000000054AC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2728-1-0x0000000075110000-0x00000000758C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2728-3-0x0000000005220000-0x0000000005230000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2728-2-0x0000000002B70000-0x0000000002BC4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2728-4-0x00000000057E0000-0x0000000005D84000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2728-5-0x00000000052D0000-0x0000000005362000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2728-0-0x0000000000750000-0x00000000007DA000-memory.dmp

      Filesize

      552KB

      Download

    • memory/2728-7-0x0000000005260000-0x0000000005268000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2728-10-0x0000000075110000-0x00000000758C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4048-8-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4048-11-0x0000000075110000-0x00000000758C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4048-12-0x00000000054B0000-0x00000000054C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4048-13-0x0000000075110000-0x00000000758C0000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.