Overview

overview

10

Static

static

3

2025-04-14...xz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/04/2025, 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-04-14_413c38e2d5fefaa876ea3be70366221f_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe

  • Size

    43.9MB

  • MD5

    413c38e2d5fefaa876ea3be70366221f

  • SHA1

    dcc8c3c35bc90f7206ecb070b5b86e7c0d63327e

  • SHA256

    f32749f0ed8816cf25f2e5f83c245f12af6c4be67d1aa41e3aa47753e647905b

  • SHA512

    baa2ac02b699931e6b85e1dcfa0be0e4e4f4922ec7e7210f42724d44d0a3665da53de11798b2a76781e28b2d58fe15c3c5877ded1886458ebdf2e98e6ffc9022

  • SSDEEP

    393216:y76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfynVQx4urYsANulL7Nr:y0LoCOn+2ys4urYDNulLBiuP

Score
10/10
snakekeyloggercollectiondiscoverykeyloggerpersistencespywarestealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-04-14_413c38e2d5fefaa876ea3be70366221f_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-14_413c38e2d5fefaa876ea3be70366221f_black-basta_cobalt-strike_coinminer_satacom_zxxz.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\53bec07df5672c7a4e4e82a8d8ac7f38\MT GOLDEN SCHULTE.exe
      "C:\Users\Admin\AppData\Local\Temp\53bec07df5672c7a4e4e82a8d8ac7f38\MT GOLDEN SCHULTE.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:232
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd.exe /C start "" /D "C:\Users\Admin\SystemRootDoc" "C:\Users\Admin\SystemRootDoc\MT GOLDEN SCHULTE.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\system32\cmd.exe
      cmd.exe /C start "" /D "C:\Users\Admin\SystemRootDoc" "C:\Users\Admin\SystemRootDoc\MT GOLDEN SCHULTE.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Users\Admin\SystemRootDoc\MT GOLDEN SCHULTE.exe
        "C:\Users\Admin\SystemRootDoc\MT GOLDEN SCHULTE.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
          4⤵
            PID:4276
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
            4⤵
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3596

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\53bec07df5672c7a4e4e82a8d8ac7f38\MT GOLDEN SCHULTE.exe
      Filesize

      633KB

      MD5

      573c3aa20cab92c93663f0e475323557

      SHA1

      647598a3a90b23787b83f0c23ba26a8b4b779592

      SHA256

      9ebea5ecb5f86bccf0564f563a35665876e5bcb1b66285a19965af5f24534b4a

      SHA512

      06fbf4dfea02ac62c81c9e47581d779891e2da9113ed45f349af2e4c52b86da9701a807872a5cfc059c5553de63bab3a24953a06a63d82cf8bf877c3dc538694

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\53bec07df5672c7a4e4e82a8d8ac7f38\mscorlib.dll
      Filesize

      130KB

      MD5

      1e0299f7758f15f216295ef15fa199ef

      SHA1

      2eeb332581001d64335676713f7e83e6c0ca709b

      SHA256

      797b1889a661c23637567e0308c285caa7225e26df8c280665d8c092910d181f

      SHA512

      243a1b891be485412745b49c6c278624aa748d69961b9e01ce9ec0e8e79e93477bd270176dbbcb82af3d1262e6f659e84c3615bfdcc01f7c1f85be464785279e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\53bec07df5672c7a4e4e82a8d8ac7f38\tier0_s64.dll
      Filesize

      412KB

      MD5

      de738f87b7a558476d73d590ea20a3b9

      SHA1

      ea2da2c8b5c811ea798805d3e77250f12cf6da76

      SHA256

      87b2d5cd0f667d8f72468ffd146dcf2aebdf7e65db575c04ffe6a4df9c1f1850

      SHA512

      934a24556d0a4dd7643c03f96cb057ff25bceecbc9795c4a30884aecc5afd441fa99bfe0d978c8879f3fb10260373f055731f51a18775c55de68fa716bccb81b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\53bec07df5672c7a4e4e82a8d8ac7f38\vcredist_244.dll
      Filesize

      3.1MB

      MD5

      4910cd0a971b542d8d298c0ec16954d9

      SHA1

      4617c8e9948f02b1a7ff64f7286398f2a27c27e1

      SHA256

      485b37a6b5d745cfac4004e71ebbafc8d0297c9550d36781cb5ec068617b7473

      SHA512

      9543901a10b875049eb9ddcc2cb490ce241b994f94346b341d1a3c52b5488f33cec773f021695300333310ff00595d28634b0472706b27fbbc0a40c042e532eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\53bec07df5672c7a4e4e82a8d8ac7f38\vcruntime210.dll
      Filesize

      2KB

      MD5

      2ebe4c9f2a5d071c3c81c2e4d66643a6

      SHA1

      4edd8a61d81c38bf71355ce39873c6d618973bff

      SHA256

      d469a3fd8e63e585395f36ee25590259d32f2520a7df1a2344143d267b3da04b

      SHA512

      0120c6a34283fe789aad5b68f4053de4118c46f7f8306a4989ec07dd5e8373bf7b624bcc1bcb99e5b8a315808b2474f16e67d7f8b6fb43ab46f54d4627e76423

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\53bec07df5672c7a4e4e82a8d8ac7f38\vstdlib_s64.dll
      Filesize

      3.7MB

      MD5

      b282796d776824edebcff8ed888d39a3

      SHA1

      577b3f53d6d992d3d6261d391816cb9b669f612a

      SHA256

      ea1664f577fe05f89f2b3dd0cbed3667015ff5280e29f89035a1fc99c821ba7a

      SHA512

      79c2a5832a4f8599c74b7b153634e1efa9085f640138c817eac9e767eeb0fabdfa58d97d037d54330fe14e683df1b0985e17135198945b14b5b568f99f509d7e

      Download Submit

    • memory/232-41-0x0000000005B90000-0x0000000006134000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/232-25-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

      Download

    • memory/232-42-0x00000000054A0000-0x000000000553C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/232-45-0x0000000006880000-0x0000000006912000-memory.dmp

      Filesize

      584KB

      Download

    • memory/232-46-0x0000000006810000-0x000000000681A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1240-34-0x000002ABD28B0000-0x000002ABD28C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1240-40-0x00007FF813BC0000-0x00007FF814025000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/3596-43-0x0000000006180000-0x00000000061D0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3596-44-0x00000000063A0000-0x0000000006562000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4788-26-0x00007FF813BC0000-0x00007FF814025000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/4788-14-0x000002466B8E0000-0x000002466B8F0000-memory.dmp

      Filesize

      64KB

      Download