Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 16:31
Static task
static1
Behavioral task
behavioral1
Sample
contract of BASHAN.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
contract of BASHAN.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
contract of BASHAN.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
contract of BASHAN.exe
Resource
win10v2004-20240611-en
General
-
Target
contract of BASHAN.exe
-
Size
537KB
-
MD5
192a10972e9401b7626f1f6bd50de84c
-
SHA1
7d674d1abb94f2f7c54b945efdec3a5835ca8c0f
-
SHA256
7152561bebf317fd5a88c09faf839006447c182e262d826c2741cc2d09b64f2d
-
SHA512
20fd0dbe1c7f8b6f3c4d4082c70b69787c8c7f082b621745540102bdb143aa5c70ed59d14c649322f8eb4cfbf01d1201c1dfadfe2017663af9c5d9d8a519e564
-
SSDEEP
12288:fmoahaD2QsSe+fAff3hjkcj2YH0Jv/v+zLuSn:4aD2QsSe+gfxjkcy/v/+LB
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
http://103.130.147.85
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral3/memory/2140-11-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral3/memory/2140-13-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral3/memory/2140-16-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral3/memory/2140-8-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral3/memory/2140-7-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
contract of BASHAN.exedescription pid process target process PID 1776 set thread context of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2260 2140 WerFault.exe contract of BASHAN.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
contract of BASHAN.exepid process 2140 contract of BASHAN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
contract of BASHAN.exedescription pid process Token: SeDebugPrivilege 2140 contract of BASHAN.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
contract of BASHAN.execontract of BASHAN.exedescription pid process target process PID 1776 wrote to memory of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe PID 1776 wrote to memory of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe PID 1776 wrote to memory of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe PID 1776 wrote to memory of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe PID 1776 wrote to memory of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe PID 1776 wrote to memory of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe PID 1776 wrote to memory of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe PID 1776 wrote to memory of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe PID 1776 wrote to memory of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe PID 2140 wrote to memory of 2260 2140 contract of BASHAN.exe WerFault.exe PID 2140 wrote to memory of 2260 2140 contract of BASHAN.exe WerFault.exe PID 2140 wrote to memory of 2260 2140 contract of BASHAN.exe WerFault.exe PID 2140 wrote to memory of 2260 2140 contract of BASHAN.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 10763⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1776-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmpFilesize
4KB
-
memory/1776-1-0x0000000000240000-0x00000000002CC000-memory.dmpFilesize
560KB
-
memory/1776-2-0x00000000006B0000-0x0000000000704000-memory.dmpFilesize
336KB
-
memory/1776-3-0x0000000074DF0000-0x00000000754DE000-memory.dmpFilesize
6.9MB
-
memory/1776-4-0x0000000000350000-0x0000000000358000-memory.dmpFilesize
32KB
-
memory/1776-19-0x0000000074DF0000-0x00000000754DE000-memory.dmpFilesize
6.9MB
-
memory/2140-16-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2140-17-0x0000000074DF0000-0x00000000754DE000-memory.dmpFilesize
6.9MB
-
memory/2140-13-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2140-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2140-8-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2140-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2140-6-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2140-5-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2140-18-0x0000000074DF0000-0x00000000754DE000-memory.dmpFilesize
6.9MB
-
memory/2140-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2140-20-0x0000000074DF0000-0x00000000754DE000-memory.dmpFilesize
6.9MB