Analysis
-
max time kernel
66s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-11-2024 10:20
Behavioral task
behavioral1
Sample
899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe
Resource
win10v2004-20241007-en
General
-
Target
899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe
-
Size
130KB
-
MD5
fd4302cdfacbc18e723806fde074625b
-
SHA1
6d1d8197029f5d5f0ad961178db8574fefb7a65b
-
SHA256
899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4
-
SHA512
a2f2bc0ca6b815545062c1c5536e858a9eda7ddca0fa4bc4905bb99f0451111ebe7e5a28f59cbc1abc782c8e6c7c8f2d9108eff2f6da5c2afec08c7b52ff34aa
-
SSDEEP
3072:d+XlnyGeKXVgLNIv4eYb5NtNsLEqwvxdqgbY:GnyTk49bvLzb
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
zulpine.shop - Port:
587 - Username:
[email protected] - Password:
dkA6kDAnLHNg - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral1/memory/2768-1-0x0000000000280000-0x00000000002A6000-memory.dmp family_snakekeylogger -
Snakekeylogger family
-
Deletes itself 1 IoCs
pid Process 2660 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2768 899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2768 899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2660 2768 899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe 30 PID 2768 wrote to memory of 2660 2768 899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe 30 PID 2768 wrote to memory of 2660 2768 899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe 30 PID 2768 wrote to memory of 2660 2768 899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe 30 PID 2660 wrote to memory of 2732 2660 cmd.exe 32 PID 2660 wrote to memory of 2732 2660 cmd.exe 32 PID 2660 wrote to memory of 2732 2660 cmd.exe 32 PID 2660 wrote to memory of 2732 2660 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe"C:\Users\Admin\AppData\Local\Temp\899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-