Winforms.Binder.exe – Snake Keylogger Malware

October 31, 2023

SHA256 hash: 9734c8dcfd274b038523356935eadc3ff4f7c4b71542def7926f723d0872ca0b

Summary

Winforms.Binder.exe is a .NET compiled binary for the Windows 32 bit architecture. It contains obfuscated code that ultimately unpacks and executes a Snake Keylogger payload within the running process. This malware acts as a stealer/keylogger collecting data from email clients, user profile, and web browser data. Additionally it will lookup the infected systems external IP by reaching out to hxxp://checkip.dyndns[.]org. Data is exfiltrated encrypted via SMTP over port 587 to the mail server domain mail.hahcd[.]com.

Analysis

The function Sofia() which is called from Main() ultimately writes the SnakeKeylogger into memory. De obfuscating the code shows that it will call InvokeMember of a System.Net.Sockets System.Activator type. The InvokeMember takes in the arguments ‘CreateInstance’ for the name, ‘InvokeMethod’ as the bind flags invoke attribute, and an object array which contains the obfuscated bytes for the packed malware.

In the running process, the code wrote into memory can be seen with RWX privileges.

The malware attempts to enumerate and collect user data/login information from email clients and web browsers.

It reaches out to the url hxxp://checkip.dyndns[.]org to obtain the infected hosts public IP address.

Collected data is then exfiltrated via email using encrypted SMTP traffic on port 587. The data is sent to the to the mail server hosted at mail.hahcd[.]com.

IOCs

SHA256 File Hash:

9734c8dcfd274b038523356935eadc3ff4f7c4b71542def7926f723d0872ca0b

Files:

Winforms.Binder.exe

HTTP Requests:

hxxp://checkip.dyndns[.]org

DNS:

checkip.dyndns[.]org

mail.hahcd[.]com

Strings

ouveia
Silvia
Svetlana
Rukhsana
Espinoza
Winforms.Binder.exe
Bolkvadze
Bartel
Waldemar
Winforms.Binder
Dresdner
Cornelius
##C##r#e##a#t##e##I##n#s#t##a##n#c##e##
&&&&&&&&&&&&&&&Sy&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&s&&&&&&&&&&&&&&&&&&&&&&&&tem.A&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
&&&&cti&&&&&&&&&&&&&&&&&&&&&va&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&tor&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
vsLhLhJBUCivwMwEUMTxEBAvTCUQJhvCDywZrpUfhf
lfwhUWZlmFnGhDYPudAJ.exe
YFGGCVyufgtwfyuTGFWTVFAUYVF
BsrOkyiChvpfhAkipZAxnnChkMGkLnAiZhGMyrnJfULiDGkfTkrTELinhfkLkJrkDExMvkEUCxUkUGr
PC Name:
Date and Time:
Client IP:
Country Name:
CountryCode:
Region Name:
Region Code:
City:
TimeZone:
Latitude:
Longitude:
PNvgmKgBeFD9EEqYvw6IMg==
5RzUfpZkPUinqVc03eNong==
ZeFaLagjHqWNxtpNFo9ndg==
TeqKEuAvT4j2VURuTSrQAoHYwdfj0Efq9P4y6LxTIDQ=
oXrxxBiV5W8=
Yx74dJ0TP3M=
Avira.Systray
/C choice /C Y /N /D Y /T 3 & Del “
cmd.exe
software\microsoft\windows\currentversion\run
hxxps://api.telegram[.]org/bot
/sendMessage?chat_id=
&text=
user-agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
hxxp://checkip.dyndns[.]org/
Current IP Check
Current IP Address:
Clipboard
/sendDocument?chat_id=
&caption=
Snake Tracker
Clipboard |
application/x-ms-dos-executable
Screenshot
SnakeKeylogger
Screenshot
Keystrokes
Keylogger