Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:18
Behavioral task
behavioral1
Sample
c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe
Resource
win10v2004-20240508-en
General
-
Target
c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe
-
Size
130KB
-
MD5
ae65828171d12dbd2817503f7c230d22
-
SHA1
3822837f216fca0e57ad17c799965492efc1f336
-
SHA256
c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527
-
SHA512
2ff7aa799b4ee56266b1e67f472052666c211e229854fd6afd67a217403177b789b766736c18d8ba57fcdfdca6a2687db1e67adeb0994247c773fcb453d0f39b
-
SSDEEP
3072:TysXix6vlYO39/L08MExkYMxvxlojbaGeplsLJwvxpBogbY:dix6dYO3RgxojbnepxBxb
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
fY,FLoadtsiF
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-1-0x0000000000430000-0x0000000000456000-memory.dmp family_snakekeylogger -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-1-0x0000000000430000-0x0000000000456000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-1-0x0000000000430000-0x0000000000456000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables with potential process hoocking 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-1-0x0000000000430000-0x0000000000456000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5064 3960 WerFault.exe c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exepid process 3960 c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exedescription pid process Token: SeDebugPrivilege 3960 c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe"C:\Users\Admin\AppData\Local\Temp\c5b9529a719d2acc7c9e2fad96ef6b960d0c7a90ddfd14767c2baa6a93939527.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 14762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3960 -ip 39601⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3960-0-0x000000007465E000-0x000000007465F000-memory.dmpFilesize
4KB
-
memory/3960-1-0x0000000000430000-0x0000000000456000-memory.dmpFilesize
152KB
-
memory/3960-2-0x0000000005390000-0x0000000005934000-memory.dmpFilesize
5.6MB
-
memory/3960-3-0x0000000004CF0000-0x0000000004D8C000-memory.dmpFilesize
624KB
-
memory/3960-4-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/3960-5-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB