Overview

overview

10

Static

static

3

Specificat...ls.exe

windows7-x64

10

Specificat...ls.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 01:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Specification details.exe

  • Size

    491KB

  • MD5

    9b2e3e7a82517cce2cbcc58fef4b8457

  • SHA1

    7764b9aebaa7c3a0c1b3bae37955d5b52450178a

  • SHA256

    648c777abbc03f6b816a0f8a794c91b69fb1f66da5fdfc7ce93cf5e5efde1b82

  • SHA512

    5de712d3f2e7de1db38bb3fd44ea892d5543af25ea8dcc39d6fc22893c0cb127bc3e9d8812b99d26bb4847cb77e0c1f7766389f2bf05900ae3e30690434ecdae

  • SSDEEP

    12288:ttMyF3ltmhmcOVahfG3+CSQ9vkk93YmjWWsGf:XM6ltmhja+CSQCk932Wsq

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    valleycountysar.org
  • Port:
    26
  • Username:
    [email protected]
  • Password:
    fY,FLoadtsiF
C2

http://103.130.147.85

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables with potential process hoocking 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specification details.exe
    "C:\Users\Admin\AppData\Local\Temp\Specification details.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\Specification details.exe
      "C:\Users\Admin\AppData\Local\Temp\Specification details.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4280
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1452
        3⤵
        • Program crash
        PID:2136
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4280 -ip 4280
    1⤵
      PID:2368

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1400-5-0x00000000053A0000-0x00000000053F4000-memory.dmp

            Filesize

            336KB

            Download

          • memory/1400-13-0x0000000074FC0000-0x0000000075770000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1400-2-0x00000000059F0000-0x0000000005F94000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1400-3-0x0000000005260000-0x00000000052F2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1400-6-0x0000000074FC0000-0x0000000075770000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1400-4-0x0000000005390000-0x000000000539A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1400-8-0x0000000005420000-0x0000000005428000-memory.dmp

            Filesize

            32KB

            Download

          • memory/1400-0-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1400-1-0x0000000000830000-0x00000000008B2000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1400-7-0x0000000005610000-0x00000000056AC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4280-10-0x0000000074FC0000-0x0000000075770000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4280-11-0x0000000074FC0000-0x0000000075770000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4280-9-0x0000000000400000-0x0000000000426000-memory.dmp

            Filesize

            152KB

            Download

          • memory/4280-14-0x0000000074FC0000-0x0000000075770000-memory.dmp

            Filesize

            7.7MB

            Download