Overview
overview
10Static
static
100490e8427a...c7.elf
ubuntu-18.04-amd64
0490e8427a...c7.elf
debian-9-armhf
0490e8427a...c7.elf
debian-9-mips
0490e8427a...c7.elf
debian-9-mipsel
068428a4ac...26.exe
windows7-x64
1068428a4ac...26.exe
windows10-2004-x64
1087421ac22...94.elf
debian-9-mipsel
100c4791a6b4...ea.elf
debian-9-armhf
100d9bd2ae2e...ea.exe
windows7-x64
100d9bd2ae2e...ea.exe
windows10-2004-x64
70fa00d4f4f...70.dll
windows7-x64
10fa00d4f4f...70.dll
windows10-2004-x64
110de02fec8...d1.bat
windows7-x64
110de02fec8...d1.bat
windows10-2004-x64
81157191701...32.exe
windows7-x64
71157191701...32.exe
windows10-2004-x64
1016e81343ec...a5.exe
windows7-x64
716e81343ec...a5.exe
windows10-2004-x64
717691f0962...b7.elf
debian-9-mipsel
717c24104e8...12.exe
windows7-x64
317c24104e8...12.exe
windows10-2004-x64
3$PLUGINSDI...ol.dll
windows7-x64
3$PLUGINSDI...ol.dll
windows10-2004-x64
3$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3CommandPost.exe
windows7-x64
3CommandPost.exe
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
31816cd993d...28.exe
windows7-x64
7Resubmissions
22-04-2024 22:02
240422-1xtwbagh68 1022-04-2024 19:25
240422-x42b7afa68 1019-04-2024 03:02
240419-djmthsfh8w 10Analysis
-
max time kernel
143s -
max time network
215s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 03:02
Static task
static1
Behavioral task
behavioral1
Sample
0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral5
Sample
068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
087421ac222e935579dfd3b7a5120451fd9d9a663d3d1872c04b6154b238c894.elf
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral8
Sample
0c4791a6b47491a0c43cea0ba54357e391a3c8b23aa28025489bbe43bb9ea6ea.elf
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral9
Sample
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat
Resource
win7-20240319-en
Behavioral task
behavioral14
Sample
10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
17691f0962027e7110f727ae997f8af5885dd783674d1db023d467ec478515b7.elf
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral20
Sample
17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240319-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral26
Sample
CommandPost.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
CommandPost.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral28
Sample
Uninstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
Uninstall.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral32
Sample
1816cd993ddda970b791b090e6ecb501ef923bdcc0cc5f4a99e18dcdb7093228.exe
Resource
win7-20231129-en
General
-
Target
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
-
Size
725KB
-
MD5
4b0a935fbc037ea00bf17468d4cf5b85
-
SHA1
169cd19c1d29bebd2c7fe5a8de25b1429f8f2aed
-
SHA256
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea
-
SHA512
0bee469d0188505772af1fd9af4a6710c201475340045b97024102a63aaba14f940e6ee36d118d338e836b4ee7ba03387001ce81724c4f4433123f5b9d83dd4f
-
SSDEEP
12288:w6Wq4aaE6KwyF5L0Y2D1PqL5C38Lua13KVsrOQW60Ztsmhv3:GthEVaPqL58F2rBjmB3
Malware Config
Extracted
snakekeylogger
https://scratchdreams.tk
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 31 IoCs
Processes:
resource yara_rule behavioral9/memory/1356-42-0x0000000000A00000-0x0000000000A3A000-memory.dmp family_snakekeylogger behavioral9/memory/1356-46-0x0000000000B60000-0x0000000000B98000-memory.dmp family_snakekeylogger behavioral9/memory/1356-47-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-48-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-50-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-54-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-52-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-57-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-59-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-63-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-65-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-69-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-73-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-75-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-79-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-81-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-83-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-85-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-87-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-91-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-93-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-95-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-99-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-103-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-101-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-97-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-89-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-77-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-71-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-67-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger behavioral9/memory/1356-61-0x0000000000B60000-0x0000000000B93000-memory.dmp family_snakekeylogger -
Drops startup file 1 IoCs
Processes:
harrowment.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harrowment.vbs harrowment.exe -
Executes dropped EXE 1 IoCs
Processes:
harrowment.exepid process 2984 harrowment.exe -
Loads dropped DLL 1 IoCs
Processes:
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exepid process 2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe -
Processes:
resource yara_rule behavioral9/memory/2696-0-0x0000000000400000-0x0000000000518000-memory.dmp upx behavioral9/memory/2696-12-0x0000000000400000-0x0000000000518000-memory.dmp upx \Users\Admin\AppData\Local\Dunlop\harrowment.exe upx behavioral9/memory/2696-19-0x0000000000400000-0x0000000000518000-memory.dmp upx behavioral9/memory/2984-35-0x0000000000400000-0x0000000000518000-memory.dmp upx behavioral9/memory/2984-38-0x0000000000400000-0x0000000000518000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral9/memory/2696-12-0x0000000000400000-0x0000000000518000-memory.dmp autoit_exe behavioral9/memory/2696-19-0x0000000000400000-0x0000000000518000-memory.dmp autoit_exe behavioral9/memory/2984-35-0x0000000000400000-0x0000000000518000-memory.dmp autoit_exe behavioral9/memory/2984-38-0x0000000000400000-0x0000000000518000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
harrowment.exedescription pid process target process PID 2984 set thread context of 1356 2984 harrowment.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1356 RegSvcs.exe 1356 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
harrowment.exepid process 2984 harrowment.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1356 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exeharrowment.exepid process 2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe 2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe 2984 harrowment.exe 2984 harrowment.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exeharrowment.exepid process 2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe 2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe 2984 harrowment.exe 2984 harrowment.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exeharrowment.exedescription pid process target process PID 2696 wrote to memory of 2984 2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe harrowment.exe PID 2696 wrote to memory of 2984 2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe harrowment.exe PID 2696 wrote to memory of 2984 2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe harrowment.exe PID 2696 wrote to memory of 2984 2696 0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe harrowment.exe PID 2984 wrote to memory of 1356 2984 harrowment.exe RegSvcs.exe PID 2984 wrote to memory of 1356 2984 harrowment.exe RegSvcs.exe PID 2984 wrote to memory of 1356 2984 harrowment.exe RegSvcs.exe PID 2984 wrote to memory of 1356 2984 harrowment.exe RegSvcs.exe PID 2984 wrote to memory of 1356 2984 harrowment.exe RegSvcs.exe PID 2984 wrote to memory of 1356 2984 harrowment.exe RegSvcs.exe PID 2984 wrote to memory of 1356 2984 harrowment.exe RegSvcs.exe PID 2984 wrote to memory of 1356 2984 harrowment.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Dunlop\harrowment.exe"C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224KB
MD52b78e824fa3a6f57ea84ac22caf7d227
SHA1d7c60208f467cfaeb204ccfbeaceaa31f9c599d1
SHA256e812de2b4ebe67e85dd9eb6ec0463697a86b591ed6ee703f650e198088630400
SHA5123e9cc6510ba5004bb3b492e735a7749c8e7424dd32446890e1a9883d704363715fdf8a855bd9081b92a96225c8292ce3522eeef5b5889633af73b1cd98795b1e
-
Filesize
29KB
MD51097db4d33401c96c8c311d3f86e915e
SHA1c7569551684b84b0a3c5ca8e64bdc4bd75452b2f
SHA256c582dc1cc0ef4806de99dc2c9682f3f59ff42ab54c06d7f1c307cf1818cdfcb5
SHA5123172c4601b57cad15487c69746ac79396838e5af2d1da814636277fd1b8385af7477d1add982d9e57cffd5314d3ecc0324a7428ddd15bd4e21e8d2ac6ae3ee78
-
Filesize
108.7MB
MD5a8601cb130036cfa9fa683c0e60766b1
SHA112eefda765a3d9e52d109c84c10628792c0b7a82
SHA256422961089121aaf8f9284b424402c527cf3f36de2abae12df338e8af589c16c7
SHA5127a44032b7e82cb70733cbb3f8f8aa90e8a57234a25e3d91b6450963b12aff20d27a98528e68664f68c32aa4663c71e4aff2cdc0964b32db076088a7be8670cc1