Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
27-06-2024 16:16
General
-
Target
Product list Quotation.exe
-
Size
537KB
-
MD5
f081e31b399dbf3450b468662bb4a124
-
SHA1
27385cfd3fc7796b33c2fa54e8728c67e39b44d2
-
SHA256
e855e16a669ed33674c20481a0a80dc4c6b77e50c0091a1f852a655336a5dd1e
-
SHA512
97056229574e32de6e63162767fdf261bc7b5a3188c072dd0f416f238e46cb3a096d8f7dfc8b0c358f2c0156303910ebf67909f36fd350dc2de5201ce4184267
-
SSDEEP
12288:/F2QYt9sMIqiTxNEz3AcdYMGJv/v+CLuSn:t2QEv0jEjDEv/HLB
Score
10/10
Malware Config
Extracted
Family
snakekeylogger
Credentials
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
C2
http://103.130.147.85
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 14923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4696 -ip 46961⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3076-6-0x0000000005A20000-0x0000000005A74000-memory.dmpFilesize
336KB
-
memory/3076-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmpFilesize
4KB
-
memory/3076-2-0x0000000005C90000-0x0000000006234000-memory.dmpFilesize
5.6MB
-
memory/3076-3-0x00000000057E0000-0x0000000005872000-memory.dmpFilesize
584KB
-
memory/3076-4-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/3076-5-0x0000000005A10000-0x0000000005A1A000-memory.dmpFilesize
40KB
-
memory/3076-1-0x0000000000DA0000-0x0000000000E2C000-memory.dmpFilesize
560KB
-
memory/3076-7-0x0000000005B50000-0x0000000005BEC000-memory.dmpFilesize
624KB
-
memory/3076-13-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/3076-8-0x0000000005AA0000-0x0000000005AA8000-memory.dmpFilesize
32KB
-
memory/4696-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4696-11-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/4696-10-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/4696-14-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB