Overview

overview

10

Static

static

1

98c9320cdb...3f.bat

windows7-x64

8

98c9320cdb...3f.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-06-2024 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f.bat

  • Size

    2.9MB

  • MD5

    a65ee5594b619784ddae86580ae0023e

  • SHA1

    068ab505bb49206349b08527e88fa764475dc4e3

  • SHA256

    98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f

  • SHA512

    fa454fb624c12a7ceac9ba230134cb63df7321dcf09f5c077d7d94d82e0220fd04222b5f1ade571eb0154c716a284ccf802d76676dd0d6063e3da441dd7c056e

  • SSDEEP

    24576:qjdD5w0gCVEM/qU6ucJXtV5g+W1LAXuFyoU/Vgjt5Rxb85lepF+STTdA7jxkbLv8:2D71qdXt/3dKy4JrpFftkbWDoUAiVRTo

Score
10/10
snakekeyloggerevasionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     ftp
  • Host:
    ftp://files.000webhost.com/
  • Port:
    21
  • Username:
    uzo1919
  • Password:
    Computer@101

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables with potential process hoocking 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo F "
      2⤵
        PID:1624
      • C:\Windows\system32\xcopy.exe
        xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f.bat.Uuz
        2⤵
          PID:2208
        • C:\Windows\system32\attrib.exe
          attrib +s +h C:\Users\Admin\AppData\Local\Temp\98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f.bat.Uuz
          2⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:3892
        • C:\Users\Admin\AppData\Local\Temp\98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f.bat.Uuz
          C:\Users\Admin\AppData\Local\Temp\98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f.bat.Uuz -WindowStyle hidden -command "$Uizrmvoio = Get-Content 'C:\Users\Admin\AppData\Local\Temp\98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f.bat' | select-object -Last 1; $Ubpyh = [System.Convert]::FromBase64String($Uizrmvoio);$Sfqzwt = New-Object System.IO.MemoryStream( , $Ubpyh );$Tcjzzfukost = New-Object System.IO.MemoryStream;$Umuaqpoo = New-Object System.IO.Compression.GzipStream $Sfqzwt, ([IO.Compression.CompressionMode]::Decompress);$Umuaqpoo.CopyTo( $Tcjzzfukost );$Umuaqpoo.Close();$Sfqzwt.Close();[byte[]] $Ubpyh = $Tcjzzfukost.ToArray();[Array]::Reverse($Ubpyh); $Nfaqarukpjv = [System.Threading.Thread]::GetDomain().Load($Ubpyh); $Kgtpyswwtxy = $Nfaqarukpjv.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3204
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2632
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 1512
              4⤵
              • Program crash
              PID:4892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2632 -ip 2632
        1⤵
          PID:628

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\98c9320cdb52678dceee4b16666147bd1d96f73006311c03f6238fcdf813f93f.bat.Uuz
          Filesize

          423KB

          MD5

          c32ca4acfcc635ec1ea6ed8a34df5fac

          SHA1

          f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

          SHA256

          73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

          SHA512

          6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uptq3qxs.v52.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • memory/2632-4928-0x0000000000400000-0x0000000000426000-memory.dmp
          Filesize

          152KB

          Download
        • memory/2632-4930-0x0000000075110000-0x00000000758C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2632-4929-0x0000000004E50000-0x0000000004EEC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/2632-4931-0x0000000075110000-0x00000000758C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2632-4933-0x0000000075110000-0x00000000758C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3204-74-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-12-0x00000000058C0000-0x0000000005926000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3204-8-0x00000000050C0000-0x00000000056E8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/3204-9-0x0000000005040000-0x0000000005062000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3204-10-0x0000000075110000-0x00000000758C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3204-11-0x0000000005760000-0x00000000057C6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3204-64-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-18-0x0000000005930000-0x0000000005C84000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/3204-23-0x0000000006090000-0x00000000060AE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3204-24-0x00000000060C0000-0x000000000610C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/3204-26-0x00000000065B0000-0x00000000065CA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/3204-25-0x0000000007330000-0x00000000073C6000-memory.dmp
          Filesize

          600KB

          Download
        • memory/3204-27-0x00000000065D0000-0x00000000065F2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3204-28-0x0000000007980000-0x0000000007F24000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3204-29-0x00000000085B0000-0x0000000008C2A000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/3204-30-0x0000000007410000-0x0000000007646000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/3204-32-0x0000000007810000-0x00000000078A2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3204-31-0x0000000007F30000-0x0000000008158000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/3204-33-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-62-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-42-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-50-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-66-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-76-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-78-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-6-0x0000000004A50000-0x0000000004A86000-memory.dmp
          Filesize

          216KB

          Download
        • memory/3204-72-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-70-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-69-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-7-0x0000000075110000-0x00000000758C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3204-34-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-60-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-58-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-56-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-52-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-48-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-54-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-46-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-44-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-40-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-38-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-37-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-92-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-90-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-88-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-96-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-94-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-86-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-84-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-82-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-80-0x0000000007F30000-0x0000000008152000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/3204-4920-0x0000000075110000-0x00000000758C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3204-4921-0x0000000008160000-0x00000000081C2000-memory.dmp
          Filesize

          392KB

          Download
        • memory/3204-4922-0x0000000007930000-0x000000000797C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/3204-4923-0x00000000081D0000-0x0000000008224000-memory.dmp
          Filesize

          336KB

          Download
        • memory/3204-4932-0x0000000075110000-0x00000000758C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3204-5-0x000000007511E000-0x000000007511F000-memory.dmp
          Filesize

          4KB

          Download