Overview
overview
10Static
static
10002d23802f...a9.elf
ubuntu-24.04-amd64
006e75ccf3...e6.exe
windows7-x64
3006e75ccf3...e6.exe
windows10-2004-x64
3010b63314e...17.exe
windows7-x64
10010b63314e...17.exe
windows10-2004-x64
10017f252187...45.exe
windows7-x64
10017f252187...45.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Unmonument...GL.dll
windows7-x64
1Unmonument...GL.dll
windows10-2004-x64
1025a7cc996...12.exe
windows7-x64
10025a7cc996...12.exe
windows10-2004-x64
10026a0d5ada...ed.exe
windows7-x64
10026a0d5ada...ed.exe
windows10-2004-x64
100296e49137...b6.exe
windows7-x64
100296e49137...b6.exe
windows10-2004-x64
100382436149...62.exe
windows7-x64
100382436149...62.exe
windows10-2004-x64
10039b7cbbe0...f4.exe
windows7-x64
039b7cbbe0...f4.exe
windows10-2004-x64
03a0e7298d...43.exe
windows7-x64
1003a0e7298d...43.exe
windows10-2004-x64
10044d4141fa...83.apk
android-9-x86
6044d4141fa...83.apk
android-10-x64
6044d4141fa...83.apk
android-11-x64
10488488429...83.exe
windows7-x64
100488488429...83.exe
windows10-2004-x64
1004ba453903...df.elf
ubuntu-22.04-amd64
8054c0c0eb0...5c.exe
windows7-x64
10054c0c0eb0...5c.exe
windows10-2004-x64
10058c3a111c...0bc.js
windows7-x64
10Resubmissions
10-11-2024 21:28
241110-1bhk6avgrr 10Analysis
-
max time kernel
62s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20241023-en -
submitted
10-11-2024 21:28
Static task
static1
Behavioral task
behavioral1
Sample
002d23802f5e90492a340a0202f8082ddf84d3abdb7834bf7cb771c81161e0a9.elf
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral2
Sample
006e75ccf30448182c69a7f7bc7a4308caa78a87e6d834926599ce6b11e222e6.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
006e75ccf30448182c69a7f7bc7a4308caa78a87e6d834926599ce6b11e222e6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
010b63314edf0d096b2c259cfc5b95fe28cae4d983e0ea547e13f8b16ff42c17.exe
Resource
win7-20240729-en
Behavioral task
behavioral5
Sample
010b63314edf0d096b2c259cfc5b95fe28cae4d983e0ea547e13f8b16ff42c17.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
017f252187d69448ce91bef978fabdd931c56a7f57d43ba3557da5c49b133e45.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
017f252187d69448ce91bef978fabdd931c56a7f57d43ba3557da5c49b133e45.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
Unmonumented/libEGL.dll
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
Unmonumented/libEGL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
025a7cc996fdece05721b7ac336a6e2e614f7a76b59f0a3aff2278e374ac7b12.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
025a7cc996fdece05721b7ac336a6e2e614f7a76b59f0a3aff2278e374ac7b12.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
026a0d5ada04432b47b8f00e05304f11c2f72374b522d0c906f919d115c4b0ed.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
026a0d5ada04432b47b8f00e05304f11c2f72374b522d0c906f919d115c4b0ed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe
Resource
win7-20241023-en
Behavioral task
behavioral17
Sample
0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
038243614941cbef3abaa0524ae4c26cef4b8c902b0f674ebc77b04b1e035662.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
038243614941cbef3abaa0524ae4c26cef4b8c902b0f674ebc77b04b1e035662.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
039b7cbbe00107f02b5004f4e2560b6d3f8c9e7c81a01ddd3c85a3c94b311bf4.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
039b7cbbe00107f02b5004f4e2560b6d3f8c9e7c81a01ddd3c85a3c94b311bf4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
03a0e7298d12838300b55acae66e5c132a980bd33ff63703d1657632326db543.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
03a0e7298d12838300b55acae66e5c132a980bd33ff63703d1657632326db543.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
044d4141fa14d7abac6f282b72e4d4a6f0fec56df3d0d1650e2db3a1a5c80783.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral25
Sample
044d4141fa14d7abac6f282b72e4d4a6f0fec56df3d0d1650e2db3a1a5c80783.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral26
Sample
044d4141fa14d7abac6f282b72e4d4a6f0fec56df3d0d1650e2db3a1a5c80783.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral27
Sample
0488488429b7776b837be76cef378782ec22ebbd71fe37ae16b3f325e0742283.exe
Resource
win7-20240708-en
Behavioral task
behavioral28
Sample
0488488429b7776b837be76cef378782ec22ebbd71fe37ae16b3f325e0742283.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
04ba4539039a535365ac32abf01cb409f0efbc33545a864865a073e09d7500df.elf
Resource
ubuntu2204-amd64-20240611-en
Behavioral task
behavioral30
Sample
054c0c0eb0f5db96a0f5c39dfc6c822377462a12aff74bc86150d450aa880e5c.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
054c0c0eb0f5db96a0f5c39dfc6c822377462a12aff74bc86150d450aa880e5c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
058c3a111cb50601c15b4410b3770720b948702207b5ad6492b82e1c4fd310bc.js
Resource
win7-20240903-en
General
-
Target
0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5542941782:AAFlsn_FCfYT7D_ZthXK_Udd4a15AE58_Wg/sendMessage?chat_id=2054148913
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
resource yara_rule behavioral16/memory/2864-25-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral16/memory/2864-27-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral16/memory/2864-26-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral16/memory/2864-22-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral16/memory/2864-20-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2796 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2208 set thread context of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1804 2864 WerFault.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2864 MSBuild.exe 2796 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2864 MSBuild.exe Token: SeDebugPrivilege 2796 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2796 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 31 PID 2208 wrote to memory of 2796 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 31 PID 2208 wrote to memory of 2796 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 31 PID 2208 wrote to memory of 2796 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 31 PID 2208 wrote to memory of 2716 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 33 PID 2208 wrote to memory of 2716 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 33 PID 2208 wrote to memory of 2716 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 33 PID 2208 wrote to memory of 2716 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 33 PID 2208 wrote to memory of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 PID 2208 wrote to memory of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 PID 2208 wrote to memory of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 PID 2208 wrote to memory of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 PID 2208 wrote to memory of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 PID 2208 wrote to memory of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 PID 2208 wrote to memory of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 PID 2208 wrote to memory of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 PID 2208 wrote to memory of 2864 2208 0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe 35 PID 2864 wrote to memory of 1804 2864 MSBuild.exe 36 PID 2864 wrote to memory of 1804 2864 MSBuild.exe 36 PID 2864 wrote to memory of 1804 2864 MSBuild.exe 36 PID 2864 wrote to memory of 1804 2864 MSBuild.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe"C:\Users\Admin\AppData\Local\Temp\0296e49137a482b7db3bed7fe16c5ad20b083b20a8ce56b6c42309fff94d50b6.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pfERLUVCmPr.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pfERLUVCmPr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2491.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 10683⤵
- Program crash
PID:1804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59ab60d0c8878057b103b4ebe5f99a281
SHA183d5e98718dafa6655c14f509e6098a60bc18aee
SHA25654b80847f4ee42ad9e45b154cef0a8cd148f760c3203181601214c2fa1884540
SHA512d0a3e72628f35e1b9054553c0fc6a4f53c879c29bc2a99e103b0aeecbb58aa56e410fff73bc7c940168c4506076147928052a309c9416336f8e5e95fa69719bc