Malware Analysis Report

2025-08-05 14:43

Sample ID 250701-hx9bws1yat
Target payment.exe
SHA256 ed99bc8b8fe39945058527720e8cbc838e305706ad4598bc5ce7aaddf3572f46
Tags
snakekeylogger collection discovery keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed99bc8b8fe39945058527720e8cbc838e305706ad4598bc5ce7aaddf3572f46

Threat Level: Known bad

The file payment.exe was found to be: Known bad.

Malicious Activity Summary

snakekeylogger collection discovery keylogger spyware stealer

Snake Keylogger

Snake Keylogger payload

Snakekeylogger family

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 07:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 07:08

Reported

2025-07-01 07:10

Platform

win10v2004-20250610-en

Max time kernel

105s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Snakekeylogger family

snakekeylogger

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2964 set thread context of 3588 N/A C:\Users\Admin\AppData\Local\Temp\payment.exe C:\Users\Admin\AppData\Local\Temp\payment.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\payment.exe

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

C:\Users\Admin\AppData\Local\Temp\payment.exe

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.96.1:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/2964-0-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2964-1-0x0000000005230000-0x00000000057D4000-memory.dmp

memory/2964-2-0x0000000004D60000-0x0000000004DF2000-memory.dmp

memory/2964-3-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/2964-4-0x0000000004F30000-0x0000000004F3A000-memory.dmp

memory/2964-5-0x0000000005000000-0x000000000509C000-memory.dmp

memory/2964-6-0x0000000006780000-0x0000000006790000-memory.dmp

memory/2964-7-0x0000000004D30000-0x0000000004D40000-memory.dmp

memory/2964-8-0x00000000060D0000-0x0000000006140000-memory.dmp

memory/3588-9-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/3588-12-0x0000000005340000-0x0000000005350000-memory.dmp

memory/3588-13-0x0000000005340000-0x0000000005350000-memory.dmp

memory/3588-14-0x00000000064D0000-0x0000000006520000-memory.dmp

memory/3588-15-0x00000000066F0000-0x00000000068B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-01 07:08

Reported

2025-07-01 07:10

Platform

win11-20250619-en

Max time kernel

101s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Snakekeylogger family

snakekeylogger

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2768 set thread context of 1964 N/A C:\Users\Admin\AppData\Local\Temp\payment.exe C:\Users\Admin\AppData\Local\Temp\payment.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-625765727-1271952295-745797415-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\payment.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\payment.exe

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

C:\Users\Admin\AppData\Local\Temp\payment.exe

"C:\Users\Admin\AppData\Local\Temp\payment.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.64.1:443 reallyfreegeoip.org tcp

Files

memory/2768-0-0x0000000000B10000-0x0000000000BA2000-memory.dmp

memory/2768-1-0x0000000005C00000-0x00000000061A6000-memory.dmp

memory/2768-2-0x00000000056F0000-0x0000000005782000-memory.dmp

memory/2768-3-0x0000000005600000-0x0000000005610000-memory.dmp

memory/2768-4-0x0000000005670000-0x000000000567A000-memory.dmp

memory/2768-5-0x0000000005970000-0x0000000005A0C000-memory.dmp

memory/2768-6-0x0000000005920000-0x0000000005930000-memory.dmp

memory/2768-7-0x0000000005600000-0x0000000005610000-memory.dmp

memory/2768-8-0x00000000083D0000-0x0000000008440000-memory.dmp

memory/1964-9-0x0000000000400000-0x0000000000426000-memory.dmp

memory/1964-11-0x0000000005A20000-0x0000000005A30000-memory.dmp

memory/1964-12-0x0000000006EC0000-0x0000000006F10000-memory.dmp

memory/1964-13-0x00000000070E0000-0x00000000072A2000-memory.dmp

memory/1964-14-0x0000000005A20000-0x0000000005A30000-memory.dmp