Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
27-06-2024 16:23
General
-
Target
Product list Quotation.exe
-
Size
537KB
-
MD5
686765a9837993bcd537f331618ca760
-
SHA1
076f9efc6fec1075f83adbfcd5c659ccde48341d
-
SHA256
63dbe7d557dc8b87937890df261f61ee69b5c6354aed54d5611baa3e93f66e8e
-
SHA512
afacb63926fafc52b937194ea2c51ea147157c88ceaf11b37409a1f0faf97121e93711d1acf9be2eb20d2bf7fd7fda8b5275735e4b1488b5d80b7830343ff770
-
SSDEEP
12288:/lxGPX90OoD9WTcAycaYUDXKrDU0JxxJv/v+FLuSn:m+9WISa1JMxvv/gLB
Score
10/10
Malware Config
Extracted
Family
snakekeylogger
Credentials
Protocol: smtp- Host:
mail.valleycountysar.org - Port:
587 - Username:
[email protected] - Password:
DKw(r0%wpbd]
C2
http://103.130.147.85
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Product list Quotation.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 14523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 43561⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/644-6-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB
-
memory/644-0-0x00000000753BE000-0x00000000753BF000-memory.dmpFilesize
4KB
-
memory/644-2-0x0000000004EE0000-0x0000000005484000-memory.dmpFilesize
5.6MB
-
memory/644-3-0x0000000004A30000-0x0000000004AC2000-memory.dmpFilesize
584KB
-
memory/644-4-0x0000000004B60000-0x0000000004B6A000-memory.dmpFilesize
40KB
-
memory/644-5-0x0000000004CB0000-0x0000000004D04000-memory.dmpFilesize
336KB
-
memory/644-1-0x0000000000130000-0x00000000001BC000-memory.dmpFilesize
560KB
-
memory/644-7-0x0000000004DA0000-0x0000000004E3C000-memory.dmpFilesize
624KB
-
memory/644-13-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB
-
memory/644-8-0x0000000004BA0000-0x0000000004BA8000-memory.dmpFilesize
32KB
-
memory/4356-9-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4356-11-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB
-
memory/4356-10-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB
-
memory/4356-14-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB