Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 13:49
Static task
static1
Behavioral task
behavioral1
Sample
e0e245814e8ff752873c8275c9dc81f5.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e0e245814e8ff752873c8275c9dc81f5.exe
Resource
win10v2004-20240704-en
General
-
Target
e0e245814e8ff752873c8275c9dc81f5.exe
-
Size
271KB
-
MD5
e0e245814e8ff752873c8275c9dc81f5
-
SHA1
ad686d471ad1376ea729acc46a9cde5d47b3b359
-
SHA256
554590e0411638e001be8dcc94e36ec8b6033b654cfc50985940679da34684b3
-
SHA512
fb00d23e54b5916dcfd12310e1b90ba7e22d630855be4da66284d5dc44e767711dbdb5d354b522c6ffeec307ebad5915f131bd9a62ff43433efe45d3717c1c01
-
SSDEEP
3072:nlNRFEkoqEA4mmDnu6HISYeS/9IqpR4FdUmPWuGDXIpAKWV3JAzfOUQmd4NDVoeg:nIvA4ZTo2S/93+RosoV9cVJkqD
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
ypcog.shop - Port:
587 - Username:
[email protected] - Password:
NpsTFMpGBcoy - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3276-4893-0x0000000000080000-0x00000000000A6000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hoyoyt = "C:\\Users\\Admin\\AppData\\Roaming\\Hoyoyt.exe" e0e245814e8ff752873c8275c9dc81f5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription pid process target process PID 1252 set thread context of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exepid process 3276 e0e245814e8ff752873c8275c9dc81f5.exe 3276 e0e245814e8ff752873c8275c9dc81f5.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exee0e245814e8ff752873c8275c9dc81f5.exedescription pid process Token: SeDebugPrivilege 1252 e0e245814e8ff752873c8275c9dc81f5.exe Token: SeDebugPrivilege 1252 e0e245814e8ff752873c8275c9dc81f5.exe Token: SeDebugPrivilege 3276 e0e245814e8ff752873c8275c9dc81f5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription pid process target process PID 1252 wrote to memory of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 1252 wrote to memory of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 1252 wrote to memory of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 1252 wrote to memory of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 1252 wrote to memory of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 1252 wrote to memory of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 1252 wrote to memory of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 1252 wrote to memory of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe PID 1252 wrote to memory of 3276 1252 e0e245814e8ff752873c8275c9dc81f5.exe e0e245814e8ff752873c8275c9dc81f5.exe -
outlook_office_path 1 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe -
outlook_win_path 1 IoCs
Processes:
e0e245814e8ff752873c8275c9dc81f5.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 e0e245814e8ff752873c8275c9dc81f5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0e245814e8ff752873c8275c9dc81f5.exe"C:\Users\Admin\AppData\Local\Temp\e0e245814e8ff752873c8275c9dc81f5.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\e0e245814e8ff752873c8275c9dc81f5.exe"C:\Users\Admin\AppData\Local\Temp\e0e245814e8ff752873c8275c9dc81f5.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3276