Analysis
-
max time kernel
107s -
max time network
203s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-12-2024 16:23
Static task
static1
Behavioral task
behavioral1
Sample
NOAH SNAKE CRYPT.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
NOAH SNAKE CRYPT.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
NOAH SNAKE CRYPT.exe
Resource
win11-20241007-en
General
-
Target
NOAH SNAKE CRYPT.exe
-
Size
1.1MB
-
MD5
b3d2a69e99c66568eef876049cdedb8d
-
SHA1
1b7e1f804a40224c752ccf9e3ebfe6f179bada0b
-
SHA256
9a3acf740959669ba7e2d778d78a3c8ad00236eaab8be03d6fa0ec21344b07af
-
SHA512
0efa5a8bdb6331254dad87233356e407778b7e9fc90172e58293e60a8b01959f62240d2012c2a5e55904128f8d0ef3997b014659a9307a9a84d521422afe65f3
-
SSDEEP
24576:8u6J33O0c+JY5UZ+XC0kGso6Fad2uRyrWtwWNqTDbqJ2ZWY:mu0c++OCvkGs9Fad2uRyrWtDWGFY
Malware Config
Extracted
Protocol: smtp- Host:
mail.starofseasmarine.com - Port:
587 - Username:
[email protected] - Password:
Dontforget2015
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3640 set thread context of 2076 3640 NOAH SNAKE CRYPT.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOAH SNAKE CRYPT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOAH SNAKE CRYPT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOAH SNAKE CRYPT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2076 RegSvcs.exe 2076 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4384 NOAH SNAKE CRYPT.exe 2260 NOAH SNAKE CRYPT.exe 3640 NOAH SNAKE CRYPT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2076 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4384 NOAH SNAKE CRYPT.exe 4384 NOAH SNAKE CRYPT.exe 2260 NOAH SNAKE CRYPT.exe 2260 NOAH SNAKE CRYPT.exe 3640 NOAH SNAKE CRYPT.exe 3640 NOAH SNAKE CRYPT.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 4384 NOAH SNAKE CRYPT.exe 4384 NOAH SNAKE CRYPT.exe 2260 NOAH SNAKE CRYPT.exe 2260 NOAH SNAKE CRYPT.exe 3640 NOAH SNAKE CRYPT.exe 3640 NOAH SNAKE CRYPT.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4384 wrote to memory of 3744 4384 NOAH SNAKE CRYPT.exe 77 PID 4384 wrote to memory of 3744 4384 NOAH SNAKE CRYPT.exe 77 PID 4384 wrote to memory of 3744 4384 NOAH SNAKE CRYPT.exe 77 PID 4384 wrote to memory of 2260 4384 NOAH SNAKE CRYPT.exe 78 PID 4384 wrote to memory of 2260 4384 NOAH SNAKE CRYPT.exe 78 PID 4384 wrote to memory of 2260 4384 NOAH SNAKE CRYPT.exe 78 PID 2260 wrote to memory of 4992 2260 NOAH SNAKE CRYPT.exe 79 PID 2260 wrote to memory of 4992 2260 NOAH SNAKE CRYPT.exe 79 PID 2260 wrote to memory of 4992 2260 NOAH SNAKE CRYPT.exe 79 PID 2260 wrote to memory of 3640 2260 NOAH SNAKE CRYPT.exe 80 PID 2260 wrote to memory of 3640 2260 NOAH SNAKE CRYPT.exe 80 PID 2260 wrote to memory of 3640 2260 NOAH SNAKE CRYPT.exe 80 PID 3640 wrote to memory of 2076 3640 NOAH SNAKE CRYPT.exe 81 PID 3640 wrote to memory of 2076 3640 NOAH SNAKE CRYPT.exe 81 PID 3640 wrote to memory of 2076 3640 NOAH SNAKE CRYPT.exe 81 PID 3640 wrote to memory of 2076 3640 NOAH SNAKE CRYPT.exe 81 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NOAH SNAKE CRYPT.exe"C:\Users\Admin\AppData\Local\Temp\NOAH SNAKE CRYPT.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\NOAH SNAKE CRYPT.exe"2⤵PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\NOAH SNAKE CRYPT.exe"C:\Users\Admin\AppData\Local\Temp\NOAH SNAKE CRYPT.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\NOAH SNAKE CRYPT.exe"3⤵PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\NOAH SNAKE CRYPT.exe"C:\Users\Admin\AppData\Local\Temp\NOAH SNAKE CRYPT.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\NOAH SNAKE CRYPT.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2076
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD5de38aceedf3c4a40e7734483872c87cd
SHA1fd4b325d2d4e7afdcd8c9b147ad1503e41c11063
SHA25604172d04b0a94a5ccdb1f0f60d609d4ee543044452b42a48407f9012abe65c5a
SHA512ba9fc34ec86288b79d2e01d5ba7fa19c5385f5358ef22a3c0978c34431006cc8324f0cb3d8ba8d65bd3d902da89cf37efe18dfb972c974f8bf427d932767d34f
-
Filesize
243KB
MD569f81fdd85bc64c07d003900b43588f6
SHA1bd203004c108bd0c2ed9f314f42eb6752c86b22c
SHA256a99b6e4b9065337d70b7a844189f72777a3725c7a16a70ef1760203e401389e9
SHA512277bc7aaac2aa0ad2fb5fea7269fc54c17a0d78981da35af6de5d852ec240769c9eb5b2abecb81c6fc41e9f282197fb6c314ab1876f13a0178044f337fd94bac