Static task
static1
Behavioral task
behavioral1
Sample
2024-05-12_54cdcbef9065668b75b2a2b8e72ac3cc_ngrbot_snatch.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-12_54cdcbef9065668b75b2a2b8e72ac3cc_ngrbot_snatch.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-12_54cdcbef9065668b75b2a2b8e72ac3cc_ngrbot_snatch
-
Size
9.5MB
-
MD5
54cdcbef9065668b75b2a2b8e72ac3cc
-
SHA1
912c98eb436b1e21e9e1a84f6252273eb76577fb
-
SHA256
9fc4454099317d7154d8c703c128850f9c0f3536e831619313224b2e7947bc28
-
SHA512
1fabe68c1121830bb8693ff83adbbd770df3d1a61a41c2412329dec8d73ce9ddc4bef3033c2630575bcc6fd7cfbba4a64af9dd82eefbb6b601d0c9759c8ce81b
-
SSDEEP
98304:m/lSsz0v691HcrORvs0SSK2g8Rw3EplwSF8S1jC:9e0v6vKes0SSvgSplz1jC
Malware Config
Signatures
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
resource yara_rule sample INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
resource yara_rule sample INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables Discord URL observed in first stage droppers 1 IoCs
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore -
Detects executables containing URLs to raw contents of a Github gist 1 IoCs
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing possible sandbox system UUIDs 1 IoCs
resource yara_rule sample INDICATOR_SUSPICIOUS_EXE_SandboxSystemUUIDs -
Detects executables referencing virtualization MAC addresses 1 IoCs
resource yara_rule sample INDICATOR_SUSPICIOUS_VM_Evasion_MACAddrComb -
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource 2024-05-12_54cdcbef9065668b75b2a2b8e72ac3cc_ngrbot_snatch
Files
-
2024-05-12_54cdcbef9065668b75b2a2b8e72ac3cc_ngrbot_snatch.exe windows:6 windows x64 arch:x64
c2d457ad8ac36fc9f18d45bffcd450c2
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
kernel32
WriteFile
WriteConsoleW
WerSetFlags
WerGetFlags
WaitForMultipleObjects
WaitForSingleObject
VirtualQuery
VirtualFree
VirtualAlloc
TlsAlloc
SwitchToThread
SuspendThread
SetWaitableTimer
SetProcessPriorityBoost
SetEvent
SetErrorMode
SetConsoleCtrlHandler
RtlVirtualUnwind
RtlLookupFunctionEntry
ResumeThread
RaiseFailFastException
PostQueuedCompletionStatus
LoadLibraryW
LoadLibraryExW
SetThreadContext
GetThreadContext
GetSystemInfo
GetSystemDirectoryA
GetStdHandle
GetQueuedCompletionStatusEx
GetProcessAffinityMask
GetProcAddress
GetErrorMode
GetEnvironmentStringsW
GetCurrentThreadId
GetConsoleMode
FreeEnvironmentStringsW
ExitProcess
DuplicateHandle
CreateWaitableTimerExW
CreateThread
CreateIoCompletionPort
CreateFileA
CreateEventA
CloseHandle
AddVectoredExceptionHandler
AddVectoredContinueHandler
Sections
.text Size: 4.6MB - Virtual size: 4.6MB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 4.2MB - Virtual size: 4.2MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 463KB - Virtual size: 1.0MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 107KB - Virtual size: 107KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.xdata Size: 512B - Virtual size: 180B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.idata Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 64KB - Virtual size: 63KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
.symtab Size: 512B - Virtual size: 4B
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ