Analysis
-
max time kernel
136s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 16:31
Static task
static1
Behavioral task
behavioral1
Sample
contract of BASHAN.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
contract of BASHAN.zip
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
contract of BASHAN.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
contract of BASHAN.exe
Resource
win10v2004-20240611-en
General
-
Target
contract of BASHAN.exe
-
Size
537KB
-
MD5
192a10972e9401b7626f1f6bd50de84c
-
SHA1
7d674d1abb94f2f7c54b945efdec3a5835ca8c0f
-
SHA256
7152561bebf317fd5a88c09faf839006447c182e262d826c2741cc2d09b64f2d
-
SHA512
20fd0dbe1c7f8b6f3c4d4082c70b69787c8c7f082b621745540102bdb143aa5c70ed59d14c649322f8eb4cfbf01d1201c1dfadfe2017663af9c5d9d8a519e564
-
SSDEEP
12288:fmoahaD2QsSe+fAff3hjkcj2YH0Jv/v+zLuSn:4aD2QsSe+gfxjkcy/v/+LB
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
http://103.130.147.85
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/4368-9-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
contract of BASHAN.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation contract of BASHAN.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
contract of BASHAN.exedescription pid process target process PID 672 set thread context of 4368 672 contract of BASHAN.exe contract of BASHAN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
contract of BASHAN.exepid process 4368 contract of BASHAN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
contract of BASHAN.exedescription pid process Token: SeDebugPrivilege 4368 contract of BASHAN.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
contract of BASHAN.execontract of BASHAN.execmd.exedescription pid process target process PID 672 wrote to memory of 4368 672 contract of BASHAN.exe contract of BASHAN.exe PID 672 wrote to memory of 4368 672 contract of BASHAN.exe contract of BASHAN.exe PID 672 wrote to memory of 4368 672 contract of BASHAN.exe contract of BASHAN.exe PID 672 wrote to memory of 4368 672 contract of BASHAN.exe contract of BASHAN.exe PID 672 wrote to memory of 4368 672 contract of BASHAN.exe contract of BASHAN.exe PID 672 wrote to memory of 4368 672 contract of BASHAN.exe contract of BASHAN.exe PID 672 wrote to memory of 4368 672 contract of BASHAN.exe contract of BASHAN.exe PID 672 wrote to memory of 4368 672 contract of BASHAN.exe contract of BASHAN.exe PID 4368 wrote to memory of 4184 4368 contract of BASHAN.exe cmd.exe PID 4368 wrote to memory of 4184 4368 contract of BASHAN.exe cmd.exe PID 4368 wrote to memory of 4184 4368 contract of BASHAN.exe cmd.exe PID 4184 wrote to memory of 4976 4184 cmd.exe choice.exe PID 4184 wrote to memory of 4976 4184 cmd.exe choice.exe PID 4184 wrote to memory of 4976 4184 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\contract of BASHAN.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\contract of BASHAN.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
memory/672-4-0x0000000074700000-0x0000000074EB0000-memory.dmpFilesize
7.7MB
-
memory/672-8-0x00000000053D0000-0x00000000053D8000-memory.dmpFilesize
32KB
-
memory/672-3-0x0000000005160000-0x00000000051F2000-memory.dmpFilesize
584KB
-
memory/672-6-0x0000000005380000-0x00000000053D4000-memory.dmpFilesize
336KB
-
memory/672-5-0x0000000005330000-0x000000000533A000-memory.dmpFilesize
40KB
-
memory/672-0-0x000000007470E000-0x000000007470F000-memory.dmpFilesize
4KB
-
memory/672-7-0x0000000005480000-0x000000000551C000-memory.dmpFilesize
624KB
-
memory/672-2-0x0000000005670000-0x0000000005C14000-memory.dmpFilesize
5.6MB
-
memory/672-1-0x00000000006D0000-0x000000000075C000-memory.dmpFilesize
560KB
-
memory/672-13-0x0000000074700000-0x0000000074EB0000-memory.dmpFilesize
7.7MB
-
memory/4368-11-0x0000000074700000-0x0000000074EB0000-memory.dmpFilesize
7.7MB
-
memory/4368-10-0x0000000074700000-0x0000000074EB0000-memory.dmpFilesize
7.7MB
-
memory/4368-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4368-15-0x0000000074700000-0x0000000074EB0000-memory.dmpFilesize
7.7MB