Analysis
-
max time kernel
115s -
max time network
113s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-04-2021 10:42
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Swift_0096986854748574.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment_Swift_0096986854748574.exe
Resource
win10v20210410
General
-
Target
Payment_Swift_0096986854748574.exe
-
Size
528KB
-
MD5
501154eaa3ca876fb7c705b9577d464e
-
SHA1
932caa850e234a9e39edee31db8af6b20b1d1e7b
-
SHA256
c5f98919be8b9bf07f01a6d758e1707c060e091844ca4372ba2d2c1e6980e401
-
SHA512
fd3ba9352008ebb6a3880f918972bd3db952d6737c69421d8a55d16213846e707cf9a1b1d0e698601df8fa5a52c7e744135eb152913b526d9b43bdee1e7678c8
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.ancrissrl.xyz - Port:
587 - Username:
love@ancrissrl.xyz - Password:
YrwySfZ6
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/568-67-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/568-68-0x00000000004643EE-mapping.dmp family_snakekeylogger behavioral1/memory/568-69-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment_Swift_0096986854748574.exedescription pid process target process PID 1684 set thread context of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Payment_Swift_0096986854748574.exePayment_Swift_0096986854748574.exepid process 1684 Payment_Swift_0096986854748574.exe 1684 Payment_Swift_0096986854748574.exe 568 Payment_Swift_0096986854748574.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment_Swift_0096986854748574.exePayment_Swift_0096986854748574.exedescription pid process Token: SeDebugPrivilege 1684 Payment_Swift_0096986854748574.exe Token: SeDebugPrivilege 568 Payment_Swift_0096986854748574.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Payment_Swift_0096986854748574.exedescription pid process target process PID 1684 wrote to memory of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 1684 wrote to memory of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 1684 wrote to memory of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 1684 wrote to memory of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 1684 wrote to memory of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 1684 wrote to memory of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 1684 wrote to memory of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 1684 wrote to memory of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 1684 wrote to memory of 568 1684 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment_Swift_0096986854748574.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Swift_0096986854748574.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment_Swift_0096986854748574.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Swift_0096986854748574.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-67-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/568-68-0x00000000004643EE-mapping.dmp
-
memory/568-69-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/568-71-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1684-60-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/1684-62-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/1684-63-0x0000000000C30000-0x0000000000C39000-memory.dmpFilesize
36KB
-
memory/1684-64-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1684-65-0x0000000004820000-0x0000000004884000-memory.dmpFilesize
400KB
-
memory/1684-66-0x0000000004B10000-0x0000000004B79000-memory.dmpFilesize
420KB