snakekeylogger | ba87381fa6489c00624d7fa62325afa9c9fd01e45384bf4075a858d3131bcdf8

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

contract of BASHAN.exe
Size

537KB
MD5

192a10972e9401b7626f1f6bd50de84c
SHA1

7d674d1abb94f2f7c54b945efdec3a5835ca8c0f
SHA256

7152561bebf317fd5a88c09faf839006447c182e262d826c2741cc2d09b64f2d
SHA512

20fd0dbe1c7f8b6f3c4d4082c70b69787c8c7f082b621745540102bdb143aa5c70ed59d14c649322f8eb4cfbf01d1201c1dfadfe2017663af9c5d9d8a519e564
SSDEEP

12288:fmoahaD2QsSe+fAff3hjkcj2YH0Jv/v+zLuSn:4aD2QsSe+gfxjkcy/v/+LB

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.valleycountysar.org
Port:
587
Username:
[email protected]
Password:
DKw(r0%wpbd]

http://103.130.147.85

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 5 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2140-11-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral3/memory/2140-13-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral3/memory/2140-16-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral3/memory/2140-8-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger
behavioral3/memory/2140-7-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

contract of BASHAN.exe

description pid process target process

PID 1776 set thread context of 2140 1776 contract of BASHAN.exe contract of BASHAN.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2260 2140 WerFault.exe contract of BASHAN.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

contract of BASHAN.exe

pid process

2140 contract of BASHAN.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

contract of BASHAN.exe

description pid process

Token: SeDebugPrivilege 2140 contract of BASHAN.exe

flow	ioc
4	checkip.dyndns.org

description	pid	process	target process
PID 1776 set thread context of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe

pid	pid_target	process	target process
2260	2140	WerFault.exe	contract of BASHAN.exe

pid	process
2140	contract of BASHAN.exe

description	pid	process
Token: SeDebugPrivilege	2140	contract of BASHAN.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

contract of BASHAN.execontract of BASHAN.exe

description	pid	process	target process
PID 1776 wrote to memory of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe
PID 1776 wrote to memory of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe
PID 1776 wrote to memory of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe
PID 1776 wrote to memory of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe
PID 1776 wrote to memory of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe
PID 1776 wrote to memory of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe
PID 1776 wrote to memory of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe
PID 1776 wrote to memory of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe
PID 1776 wrote to memory of 2140	1776	contract of BASHAN.exe	contract of BASHAN.exe
PID 2140 wrote to memory of 2260	2140	contract of BASHAN.exe	WerFault.exe
PID 2140 wrote to memory of 2260	2140	contract of BASHAN.exe	WerFault.exe
PID 2140 wrote to memory of 2260	2140	contract of BASHAN.exe	WerFault.exe
PID 2140 wrote to memory of 2260	2140	contract of BASHAN.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe
"C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe
"C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 1076
3⤵
- Program crash
PID:2260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1776-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/1776-1-0x0000000000240000-0x00000000002CC000-memory.dmp

Filesize
560KB

Download
memory/1776-2-0x00000000006B0000-0x0000000000704000-memory.dmp

Filesize
336KB

Download
memory/1776-3-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/1776-4-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/1776-19-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2140-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2140-17-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2140-13-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2140-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2140-8-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2140-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2140-6-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2140-5-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2140-18-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2140-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2140-20-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download