Overview

overview

10

Static

static

3

Banktransf...15.exe

windows7-x64

10

Banktransf...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2024 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Banktransferreceipt241015.exe

  • Size

    499KB

  • MD5

    a56e9ac0bdfb2994a47cff685f5082a8

  • SHA1

    855fef6a65caf563685f757a11b653a43472e4be

  • SHA256

    1546c45496290063818a4e24b240aa8cd88c8023dccb2876706a569a0359be9e

  • SHA512

    97bb5879e5a1be00eb980a5e51a6caa69fa4e5731e377236c4abf3b9cdaa7a5ef0b3040feb468c219e80ad42b49049f0fb74d3843bf896a4d23a947804a73342

  • SSDEEP

    12288:62UScVclz+IuSqKixs7p2JYQE3Pu98rxG6ortJ6zdhp:6UcVuSpW/3RN

Score
10/10
snakekeyloggerdiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7952998151:AAFh98iY7kaOlHAR0qftD3ZcqGbQm0TXbBY/sendMessage?chat_id=5692813672

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Banktransferreceipt241015.exe
    "C:\Users\Admin\AppData\Local\Temp\Banktransferreceipt241015.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Banktransferreceipt241015.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3000
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vYxHVdr.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vYxHVdr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2CE.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2920
    • C:\Users\Admin\AppData\Local\Temp\Banktransferreceipt241015.exe
      "C:\Users\Admin\AppData\Local\Temp\Banktransferreceipt241015.exe"
      2⤵
        PID:1448
      • C:\Users\Admin\AppData\Local\Temp\Banktransferreceipt241015.exe
        "C:\Users\Admin\AppData\Local\Temp\Banktransferreceipt241015.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Banktransferreceipt241015.exe"
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1260

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp2CE.tmp
      Filesize

      1KB

      MD5

      accf1009feb4f5faf3ba41a350020a01

      SHA1

      b806554c901923c3f09488a42e2f9c3695437bf5

      SHA256

      3ecf971dbe532167e0543eef692dccb1f0a2f70d2caa908009a6f21375bc0729

      SHA512

      24453e65b3ff8325524e5e4d4e36055e0ba385f3cca060106ba13761a98e499038069e77a6c5188c1b41004b1feb492992572cef611229f337be9e93dec13f35

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E3K33L1MH8SRXQTUA7JX.temp
      Filesize

      7KB

      MD5

      e071cba2dee7db13b88c3c22cc28ae0c

      SHA1

      e513f54d3cfb9c72ad81677486918d3331b7fb26

      SHA256

      6ca3aeae39ccbabe60026ca7a33b040f05a7db80e008eec203f9053ff960f590

      SHA512

      55b526650f61a82df325e5e03c48ccca1741b11300acf0b65650e7230376cef7f5c05cdeb508f6e8934d1dfe0be07876367a8d49c791c7c2ea7cfb6fcc587170

      Download Submit

    • memory/2408-4-0x00000000744EE000-0x00000000744EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2408-31-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2408-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2408-5-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2408-6-0x0000000002190000-0x00000000021F8000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2408-2-0x00000000744E0000-0x0000000074BCE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2408-1-0x0000000000360000-0x00000000003E4000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2408-3-0x00000000002F0000-0x0000000000302000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2892-30-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2892-28-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2892-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2892-25-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2892-23-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2892-21-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2892-19-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2892-29-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download