Overview

overview

10

Static

static

10

c5b9529a71...27.exe

windows7-x64

10

c5b9529a71...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe

  • Size

    130KB

  • MD5

    ae65828171d12dbd2817503f7c230d22

  • SHA1

    3822837f216fca0e57ad17c799965492efc1f336

  • SHA256

    c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527

  • SHA512

    2ff7aa799b4ee56266b1e67f472052666c211e229854fd6afd67a217403177b789b766736c18d8ba57fcdfdca6a2687db1e67adeb0994247c773fcb453d0f39b

  • SSDEEP

    3072:TysXix6vlYO39/L08MExkYMxvxlojbaGeplsLJwvxpBogbY:dix6dYO3RgxojbnepxBxb

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    valleycountysar.org
  • Port:
    26
  • Username:
    [email protected]
  • Password:
    fY,FLoadtsiF

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables with potential process hoocking 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe
    "C:\Users\Admin\AppData\Local\Temp\c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1476
      2⤵
      • Program crash
      PID:5064
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3960 -ip 3960
    1⤵
      PID:4844

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3960-0-0x000000007465E000-0x000000007465F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3960-1-0x0000000000430000-0x0000000000456000-memory.dmp
      Filesize

      152KB

      Download
    • memory/3960-2-0x0000000005390000-0x0000000005934000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3960-3-0x0000000004CF0000-0x0000000004D8C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3960-4-0x0000000074650000-0x0000000074E00000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3960-5-0x0000000074650000-0x0000000074E00000-memory.dmp
      Filesize

      7.7MB

      Download