Analysis
-
max time kernel
104s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 10:42
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Swift_0096986854748574.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment_Swift_0096986854748574.exe
Resource
win10v20210410
General
-
Target
Payment_Swift_0096986854748574.exe
-
Size
528KB
-
MD5
501154eaa3ca876fb7c705b9577d464e
-
SHA1
932caa850e234a9e39edee31db8af6b20b1d1e7b
-
SHA256
c5f98919be8b9bf07f01a6d758e1707c060e091844ca4372ba2d2c1e6980e401
-
SHA512
fd3ba9352008ebb6a3880f918972bd3db952d6737c69421d8a55d16213846e707cf9a1b1d0e698601df8fa5a52c7e744135eb152913b526d9b43bdee1e7678c8
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.ancrissrl.xyz - Port:
587 - Username:
[email protected] - Password:
YrwySfZ6
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3952-125-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral2/memory/3952-126-0x00000000004643EE-mapping.dmp family_snakekeylogger behavioral2/memory/3952-135-0x00000000053D0000-0x00000000058CE000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 freegeoip.app 21 freegeoip.app 17 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment_Swift_0096986854748574.exedescription pid process target process PID 3152 set thread context of 3952 3152 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Payment_Swift_0096986854748574.exePayment_Swift_0096986854748574.exepid process 3152 Payment_Swift_0096986854748574.exe 3152 Payment_Swift_0096986854748574.exe 3152 Payment_Swift_0096986854748574.exe 3952 Payment_Swift_0096986854748574.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment_Swift_0096986854748574.exePayment_Swift_0096986854748574.exedescription pid process Token: SeDebugPrivilege 3152 Payment_Swift_0096986854748574.exe Token: SeDebugPrivilege 3952 Payment_Swift_0096986854748574.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Payment_Swift_0096986854748574.exedescription pid process target process PID 3152 wrote to memory of 3952 3152 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 3152 wrote to memory of 3952 3152 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 3152 wrote to memory of 3952 3152 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 3152 wrote to memory of 3952 3152 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 3152 wrote to memory of 3952 3152 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 3152 wrote to memory of 3952 3152 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 3152 wrote to memory of 3952 3152 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe PID 3152 wrote to memory of 3952 3152 Payment_Swift_0096986854748574.exe Payment_Swift_0096986854748574.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment_Swift_0096986854748574.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Swift_0096986854748574.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment_Swift_0096986854748574.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Swift_0096986854748574.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Swift_0096986854748574.exe.logMD5
c3cc52ccca9ff2b6fa8d267fc350ca6b
SHA1a68d4028333296d222e4afd75dea36fdc98d05f3
SHA2563125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e
SHA512b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7
-
memory/3152-122-0x000000007F740000-0x000000007F741000-memory.dmpFilesize
4KB
-
memory/3152-123-0x00000000009B0000-0x0000000000A14000-memory.dmpFilesize
400KB
-
memory/3152-118-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/3152-119-0x00000000024B0000-0x00000000024B1000-memory.dmpFilesize
4KB
-
memory/3152-120-0x0000000004E80000-0x0000000004E89000-memory.dmpFilesize
36KB
-
memory/3152-114-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/3152-121-0x0000000004990000-0x0000000004E8E000-memory.dmpFilesize
5.0MB
-
memory/3152-117-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/3152-124-0x0000000007BE0000-0x0000000007C49000-memory.dmpFilesize
420KB
-
memory/3152-116-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/3952-126-0x00000000004643EE-mapping.dmp
-
memory/3952-125-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3952-132-0x00000000066E0000-0x00000000066E1000-memory.dmpFilesize
4KB
-
memory/3952-135-0x00000000053D0000-0x00000000058CE000-memory.dmpFilesize
5.0MB