Malware Analysis Report

2025-08-05 14:43

Sample ID 250701-h2qqcagq4w
Target payment.exe
SHA256 ed99bc8b8fe39945058527720e8cbc838e305706ad4598bc5ce7aaddf3572f46
Tags
snakekeylogger collection discovery keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed99bc8b8fe39945058527720e8cbc838e305706ad4598bc5ce7aaddf3572f46

Threat Level: Known bad

The file payment.exe was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection discovery keylogger spyware stealer

Snakekeylogger family

Snake Keylogger

Snake Keylogger payload

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious behavior: EnumeratesProcesses

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 07:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 07:14

Reported

2025-07-01 07:16

Platform

win10v2004-20250502-en

Max time kernel

104s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Snakekeylogger family

snakekeylogger

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4200 set thread context of 4664 N/A C:\Users\Admin\AppData\Local\Temp\payment.exe C:\Users\Admin\AppData\Local\Temp\payment.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\payment.exe

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

C:\Users\Admin\AppData\Local\Temp\payment.exe

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

C:\Users\Admin\AppData\Local\Temp\payment.exe

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.64.1:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/4200-0-0x0000000000770000-0x0000000000802000-memory.dmp

memory/4200-1-0x00000000056D0000-0x0000000005C74000-memory.dmp

memory/4200-2-0x0000000005200000-0x0000000005292000-memory.dmp

memory/4200-3-0x0000000005460000-0x0000000005470000-memory.dmp

memory/4200-4-0x00000000053A0000-0x00000000053AA000-memory.dmp

memory/4200-5-0x0000000005510000-0x00000000055AC000-memory.dmp

memory/4200-6-0x00000000054C0000-0x00000000054D0000-memory.dmp

memory/4200-7-0x0000000005460000-0x0000000005470000-memory.dmp

memory/4200-8-0x0000000008020000-0x0000000008090000-memory.dmp

memory/4664-9-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4664-11-0x00000000059C0000-0x00000000059D0000-memory.dmp

memory/4664-12-0x00000000059C0000-0x00000000059D0000-memory.dmp

memory/4664-13-0x0000000006A00000-0x0000000006A50000-memory.dmp

memory/4664-14-0x0000000006C20000-0x0000000006DE2000-memory.dmp