Overview

overview

10

Static

static

3

pago 4094.exe

windows11-21h2-x64

10

pago 4094.exe

android-13-x64

pago 4094.exe

ubuntu-22.04-amd64

Resubmissions

14-12-2024 15:43

241214-s6a6kawqhv 10

14-12-2024 15:39

241214-s3nmgsylal 10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-12-2024 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pago 4094.exe

  • Size

    528KB

  • MD5

    1a0f4cc0513f1b56fef01c815410c6ea

  • SHA1

    a663c9ecf8f488d6e07b892165ae0a3712b0e91f

  • SHA256

    d483d48c15f797c92c89d2eafcc9fc7cbe0c02cabe1d9130bb9069e8c897c94c

  • SHA512

    4251fd4738f6b47a327b1f1d7609aa5af623669734a1fc9ebf5786337d0fbc5142c8176e51f9f2f5869e47bdbbb2f46090f66fb3cea30189d57917b58049f84b

  • SSDEEP

    12288:PXPZDbCo/k+n70P4uR87fD0iBTJj1ijFDTw:hOz+IPz6/PF1ihDTw

Score
10/10
snakekeyloggercollectiondiscoverykeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    UWzDeXWsD8

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pago 4094.exe
    "C:\Users\Admin\AppData\Local\Temp\pago 4094.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Users\Admin\AppData\Local\Temp\pago 4094.exe
      "C:\Users\Admin\AppData\Local\Temp\pago 4094.exe"
      2⤵
        PID:2804
      • C:\Users\Admin\AppData\Local\Temp\pago 4094.exe
        "C:\Users\Admin\AppData\Local\Temp\pago 4094.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2660
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:492
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4556
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24422e5c-c782-4755-85c2-1111a54aaf3e} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" gpu
          3⤵
            PID:1844
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38955efa-377f-4d05-bc1e-08e2a550e3fc} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" socket
            3⤵
              PID:1300
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3244 -childID 1 -isForBrowser -prefsHandle 3236 -prefMapHandle 3232 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0fdd4fd-1eb4-43cb-8041-28752b275b88} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
              3⤵
                PID:2828
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3940 -childID 2 -isForBrowser -prefsHandle 3932 -prefMapHandle 3928 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad2880a-00f9-4fe0-b8e5-3b25818ea815} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
                3⤵
                  PID:1492
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3947ccc2-712c-4966-a6bc-40ad01b34ad2} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" utility
                  3⤵
                  • Checks processor information in registry
                  PID:5220
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5260 -prefMapHandle 5336 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {314cf8d9-6a8a-4788-b31e-402bb3499f0d} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
                  3⤵
                    PID:5692
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -childID 4 -isForBrowser -prefsHandle 5432 -prefMapHandle 5428 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2718165b-3952-4a37-9999-bb069b35c87f} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
                    3⤵
                      PID:5704
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 5 -isForBrowser -prefsHandle 5644 -prefMapHandle 5648 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {757183d0-64ba-4c8b-8357-a180d806687a} 4556 "\\.\pipe\gecko-crash-server-pipe.4556" tab
                      3⤵
                        PID:5720
                  • C:\Windows\system32\BackgroundTransferHost.exe
                    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
                    1⤵
                    • Modifies registry class
                    PID:6024

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json
                    Filesize

                    20KB

                    MD5

                    2906773635e9bb0aeaf960d9228467c9

                    SHA1

                    4af19d189cb8b0302b523fb58e3168388312083c

                    SHA256

                    b7aa39c0c37ae0b99a8f6d835935c0f527639061572a0c28a7abe8eb70e0334a

                    SHA512

                    4f7c49ed47163e9705dec94828a9583eb7399660312a72788a6be89e23ecae4d42156f3e4f41a4f71a1f9fe5d214c43f6f187e1d790c84944674d2aef8197779

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                    Filesize

                    15KB

                    MD5

                    96c542dec016d9ec1ecc4dddfcbaac66

                    SHA1

                    6199f7648bb744efa58acf7b96fee85d938389e4

                    SHA256

                    7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                    SHA512

                    cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c04810ec-2fa9-43e6-89c5-456c541e2e6c.down_data
                    Filesize

                    555KB

                    MD5

                    5683c0028832cae4ef93ca39c8ac5029

                    SHA1

                    248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                    SHA256

                    855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                    SHA512

                    aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin
                    Filesize

                    6KB

                    MD5

                    b03dc2c6ccb3bedf3f75c4c55ba5181e

                    SHA1

                    fffca2849b27db3d5cc103f27f14f238af0ccbe2

                    SHA256

                    03b39e6dea38e2ef7d59393ff3fc03bf311f0f709fe89eff230cfaf0bb18210e

                    SHA512

                    33e9656ff0a912e9ecf04696cf897bae7b779360c94982e9e856a897c0f58352a265df21b20bce91bf5a80f83a1b4cefdeeaac1898d4802b238c027ee6c40338

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    a3460859cb4a54f115a05d2577e36809

                    SHA1

                    473d0fafeffcb49e3a37ce84a2bdd481e17e82fe

                    SHA256

                    ede5b2db91363944e92494b6fb8c3ce782ca15211d42f093247fa31a5005e087

                    SHA512

                    fadb076af17b000f7104c34440e0a3ccda688a04b754f03d130d9caecdbbf0aedb05fbc24216bd0b30d34691162f32d5c4c0c16a7af4fa4710d983f7d79b4ab1

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    447a0ddf5e65b36ef5d38236cd2d75a8

                    SHA1

                    5f3abcf09a8d7002dc18362faf56f63b4a613237

                    SHA256

                    7101ff5a45f057e51daab821a02659644949ae0d5418d9adc2f768bc2b9fa951

                    SHA512

                    92d12f394e8bdcb7e4c3aea538636166e8a59bbcec07f99a162601779fdaf04fa454a028242536b3c4da44b8376642c77c3ce84cb9144b41cb26a21036446ddf

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    35e154fa3d5cdc9b2cbd85c6c7469d96

                    SHA1

                    54410f5ee00b8f3fa6d3b67efe140acb8789ea55

                    SHA256

                    607c4c20a92a38f7ed89ec60fc630cae4254c911dc98d2af562b601a975f3526

                    SHA512

                    759d92f6f2c57bc169efd47a623cbeaf4867ba665b1e6427010c9ba3801281b7fe55163c2543f37051a6a3c26a6012e4e9291a42b0d3997fa23bc56b44f5eacd

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\2356f9b0-ace7-4b23-b1f9-093200678edd
                    Filesize

                    25KB

                    MD5

                    f711f203d843ddf12795974dff55eac8

                    SHA1

                    ab6f11a3c08e6c274b8275fb4c4251eeace9da9a

                    SHA256

                    1cda446bb5cf4d67717a286e33c554f9a34b1395a4f02b53428e56d4a1dd0986

                    SHA512

                    4c3a7ab536e258db48670284662f9174a316819c207ccccff6b2183bbef66cc6160b87c97392b0505efc30cb021c7842af4d36a392ef80be08452af94c6708ed

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\5250b9ae-0b41-42f3-ae13-286d8b861442
                    Filesize

                    671B

                    MD5

                    3bb9665ea5676f8e1fcacf04d7f1dfca

                    SHA1

                    744dce6d7226e8cb0f939fe62aefb6e56ff3668c

                    SHA256

                    ffc1e8a8b9235aee24ea5da6d610e894b7e1cc4c45e56ffb422aab89142f9887

                    SHA512

                    941fd82346472dc85bcb54b229152acc0e05267905962ba8399a74bb4b1671f97eefd58c931cf5d9e75f2a25f839b2b080bb8076b6b25967958b529a0d760c8c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\d59a30be-7bdc-4335-8ae5-e67a94cd2cc0
                    Filesize

                    982B

                    MD5

                    1ee90cda45aa5059beba52f2ebe0067d

                    SHA1

                    6fab0f70ce60c1a5cefa6c49a28ff74cc0f1e88e

                    SHA256

                    2ad5638a8ec180674d8166c8d18b3ba73ec5ae8f87a60a6e753cb96677db29a3

                    SHA512

                    76d508c1400d767f8f8af50db5ceb32d988025f82631ec608fd8668c1c70cb2713fec48d3e34a7760a095ea8f67f79e8ad7df3424e17a7a9d91bcc20a2e34ffd

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js
                    Filesize

                    10KB

                    MD5

                    7f7b77e61401d012efa6564fe67626cf

                    SHA1

                    30b564bcb00425827a3a910d72d1ee1dee2e3f83

                    SHA256

                    561416a526790f4ae7309dde24e06682da53af1dcfe88856a7a94b16c3528f19

                    SHA512

                    66e2962a0877d573c13731d03b9b3cf59ff51797f4cae07f3e2312232ab47c463c5f7183ba189a51185c0bec0282e24e05fb88fe2e01da53d2020200a64d61ff

                    Download Submit

                  • memory/2660-15-0x0000000074E80000-0x0000000075631000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2660-17-0x0000000074E80000-0x0000000075631000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2660-13-0x0000000000400000-0x0000000000426000-memory.dmp

                    Filesize

                    152KB

                    Download

                  • memory/2660-19-0x0000000074E80000-0x0000000075631000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/2660-18-0x00000000069E0000-0x0000000006BA2000-memory.dmp

                    Filesize

                    1.8MB

                    Download

                  • memory/3892-10-0x00000000056A0000-0x00000000056AA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/3892-7-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3892-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3892-11-0x0000000005760000-0x00000000057C0000-memory.dmp

                    Filesize

                    384KB

                    Download

                  • memory/3892-12-0x00000000093C0000-0x000000000945C000-memory.dmp

                    Filesize

                    624KB

                    Download

                  • memory/3892-9-0x0000000005480000-0x0000000005488000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/3892-8-0x0000000074E80000-0x0000000075631000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/3892-16-0x0000000074E80000-0x0000000075631000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/3892-6-0x00000000053C0000-0x00000000053D2000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/3892-5-0x0000000074E80000-0x0000000075631000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/3892-4-0x00000000051F0000-0x00000000051FA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/3892-3-0x0000000005250000-0x00000000052E2000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/3892-2-0x0000000005800000-0x0000000005DA6000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/3892-1-0x00000000006C0000-0x000000000074A000-memory.dmp

                    Filesize

                    552KB

                    Download