snakebot | e0320dd07664a62a6b8d85c68df98aa3a674428a8c85e6f75410a1dbfe66ca2a

Analysis

max time kernel
34s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2025, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pacman.exe
Size

17.4MB
MD5

6b7c47f469f6d6da5f29cd4abf021af3
SHA1

2b802b1081242beae884ed280c6f243576bce589
SHA256

e0320dd07664a62a6b8d85c68df98aa3a674428a8c85e6f75410a1dbfe66ca2a
SHA512

fdb8f1b7748b3d0eb07e11c1811134f8c865a335147f079b2bc73bd01411fb44f9940af44c877d4fe72a333ac9801c542e7ab3459cf72bf50601046615ae2bcf
SSDEEP

393216:qzzj4URW5zzG+1Zvnd51xKvjLSAILzBCEIvhUq:gnkfPTKv6zBCtWq

Score

10^/10

snakebot discovery snakebot

Malware Config

Signatures

SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
snakebot
Snakebot family
snakebot

Contains SnakeBOT related strings 1 IoCs

snakebot

resource	yara_rule
behavioral2/memory/1020-27-0x0000000000400000-0x000000000575E000-memory.dmp	snakebot_strings

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	pacman.exe

Executes dropped EXE 1 IoCs

pid	Process
1020	mame.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pacman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4452	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1020	mame.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 2168	3332	pacman.exe	87
PID 3332 wrote to memory of 2168	3332	pacman.exe	87
PID 3332 wrote to memory of 2168	3332	pacman.exe	87
PID 2168 wrote to memory of 1020	2168	cmd.exe	92
PID 2168 wrote to memory of 1020	2168	cmd.exe	92
PID 2168 wrote to memory of 1020	2168	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\pacman.exe
"C:\Users\Admin\AppData\Local\Temp\pacman.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\R17-record-pacman.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\mame.exe
    mame pacman -record pacman.inp -nvram_directory NUL
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\R17-record-pacman.bat

Filesize
1KB

MD5
431d239c71734aea3487d3fceb9b5346

SHA1
33fd8d7846c7e4f9d130155a021dcb3899ad3ce5

SHA256
4b14f4a0dea3b70bc6e23070afc3fc0a433a2512699d74c46ba0049ecc2aeb85

SHA512
0530cc09a07c531ee4b8076cc7c25d19371c12af431196b0efafd7b028ea372e4d29b11bdead5cd46f1a184fd8170df56312c20adb9fabe46762c9b0db344ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cfg\default.cfg

Filesize
180B

MD5
699af169745db2b9dd0a4db1fd4522b7

SHA1
7310a8656b9fbf31d75bc367e968f2da5651618a

SHA256
e1fd9ac6dab9d6d037ce6937373b35bdd048750a3a5af2e95a403f37b09e2995

SHA512
b7d6c45f78b5654e63a7e75bfba242c3693a61249eb2b4fbf7d06ae588dae00d11f2ea9d1c84c46339c0934e6b88835e8cece45978627895145d47e6a3f83237

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mame.ini

Filesize
7KB

MD5
07c1ea8389ab7a4fd100c1335c107dd4

SHA1
fd010cd861344f400bec951939416773845a6203

SHA256
01fb0d231430654e640b5b36eb3c8bc4b21075648e90003a2b93e4381e9b2249

SHA512
24e762dcb48c0c0c1b9970a7a36ef4a471d293ba47b108e9224e53c188e6dd36c2002d67639f45970aa828f900aeec6df1066325d6830422a1d743a3b605d8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\roms\pacman.7z

Filesize
12KB

MD5
76987560f6ced82c3a9fdbd50b1fc4e8

SHA1
e82e091cd970616451608effb7e7bda68539928d

SHA256
40a75f772611e7d545d8beb96558c413a97efb5e601bbb0d07784d2765931281

SHA512
56aa0b17903f94bf898fd4b7606111c33b4de6f69b261fea8d3f3379221a75977215ace05d2c844b7984ed8a80e0da6a4893facea9d4b0fdd8c3da977b821ecf

Download Submit
memory/1020-27-0x0000000000400000-0x000000000575E000-memory.dmp

Filesize
83.4MB

Download
memory/1020-28-0x0000000000400000-0x000000000575E000-memory.dmp

Filesize
83.4MB

Download