snakekeylogger | ba87381fa6489c00624d7fa62325afa9c9fd01e45384bf4075a858d3131bcdf8

Analysis

max time kernel
136s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

contract of BASHAN.exe
Size

537KB
MD5

192a10972e9401b7626f1f6bd50de84c
SHA1

7d674d1abb94f2f7c54b945efdec3a5835ca8c0f
SHA256

7152561bebf317fd5a88c09faf839006447c182e262d826c2741cc2d09b64f2d
SHA512

20fd0dbe1c7f8b6f3c4d4082c70b69787c8c7f082b621745540102bdb143aa5c70ed59d14c649322f8eb4cfbf01d1201c1dfadfe2017663af9c5d9d8a519e564
SSDEEP

12288:fmoahaD2QsSe+fAff3hjkcj2YH0Jv/v+zLuSn:4aD2QsSe+gfxjkcy/v/+LB

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
mail.valleycountysar.org
Port:
587
Username:
[email protected]
Password:
DKw(r0%wpbd]

http://103.130.147.85

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Snake Keylogger payload 1 IoCs

Processes:

resource yara_rule

behavioral4/memory/4368-9-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

contract of BASHAN.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation contract of BASHAN.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

contract of BASHAN.exe

description pid process target process

PID 672 set thread context of 4368 672 contract of BASHAN.exe contract of BASHAN.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

contract of BASHAN.exe

pid process

4368 contract of BASHAN.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

contract of BASHAN.exe

description pid process

Token: SeDebugPrivilege 4368 contract of BASHAN.exe

resource	yara_rule
behavioral4/memory/4368-9-0x0000000000400000-0x0000000000426000-memory.dmp	family_snakekeylogger

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	contract of BASHAN.exe

flow	ioc
5	checkip.dyndns.org

description	pid	process	target process
PID 672 set thread context of 4368	672	contract of BASHAN.exe	contract of BASHAN.exe

pid	process
4368	contract of BASHAN.exe

description	pid	process
Token: SeDebugPrivilege	4368	contract of BASHAN.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

contract of BASHAN.execontract of BASHAN.execmd.exe

description	pid	process	target process
PID 672 wrote to memory of 4368	672	contract of BASHAN.exe	contract of BASHAN.exe
PID 672 wrote to memory of 4368	672	contract of BASHAN.exe	contract of BASHAN.exe
PID 672 wrote to memory of 4368	672	contract of BASHAN.exe	contract of BASHAN.exe
PID 672 wrote to memory of 4368	672	contract of BASHAN.exe	contract of BASHAN.exe
PID 672 wrote to memory of 4368	672	contract of BASHAN.exe	contract of BASHAN.exe
PID 672 wrote to memory of 4368	672	contract of BASHAN.exe	contract of BASHAN.exe
PID 672 wrote to memory of 4368	672	contract of BASHAN.exe	contract of BASHAN.exe
PID 672 wrote to memory of 4368	672	contract of BASHAN.exe	contract of BASHAN.exe
PID 4368 wrote to memory of 4184	4368	contract of BASHAN.exe	cmd.exe
PID 4368 wrote to memory of 4184	4368	contract of BASHAN.exe	cmd.exe
PID 4368 wrote to memory of 4184	4368	contract of BASHAN.exe	cmd.exe
PID 4184 wrote to memory of 4976	4184	cmd.exe	choice.exe
PID 4184 wrote to memory of 4976	4184	cmd.exe	choice.exe
PID 4184 wrote to memory of 4976	4184	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe
"C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe
"C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\contract of BASHAN.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/672-4-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/672-8-0x00000000053D0000-0x00000000053D8000-memory.dmp

Filesize
32KB

Download
memory/672-3-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/672-6-0x0000000005380000-0x00000000053D4000-memory.dmp

Filesize
336KB

Download
memory/672-5-0x0000000005330000-0x000000000533A000-memory.dmp

Filesize
40KB

Download
memory/672-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/672-7-0x0000000005480000-0x000000000551C000-memory.dmp

Filesize
624KB

Download
memory/672-2-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/672-1-0x00000000006D0000-0x000000000075C000-memory.dmp

Filesize
560KB

Download
memory/672-13-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-11-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-10-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/4368-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4368-15-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download