Analysis
-
max time kernel
116s -
max time network
114s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-04-2021 10:11
Static task
static1
Behavioral task
behavioral1
Sample
ACH Payment Initiated & Received.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ACH Payment Initiated & Received.exe
Resource
win10v20210410
General
-
Target
ACH Payment Initiated & Received.exe
-
Size
536KB
-
MD5
16db1dad94d7c7bff556c87395af1a94
-
SHA1
077d1ab9d2870562be9dfa431ce6651aa6179207
-
SHA256
2346a1bdc66b319e0cb751f7c8aea0c5164917d30a349b2a1a8d0566fbd60671
-
SHA512
2f24816b4c25281deda76b070dbe9d705e9aaa6518983f5f944ae698c222f0c9f9d3981ac3a70859d4333e54aae28afc219b3c5b9354cc50f42d145bc9faa5d7
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.lokalboyz.com - Port:
587 - Username:
oc2021@lokalboyz.com - Password:
lkEb6ovn
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1108-65-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger behavioral1/memory/1108-66-0x00000000004643FE-mapping.dmp family_snakekeylogger behavioral1/memory/1108-67-0x0000000000400000-0x000000000046A000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org 10 freegeoip.app 11 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ACH Payment Initiated & Received.exedescription pid process target process PID 1944 set thread context of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
ACH Payment Initiated & Received.exeACH Payment Initiated & Received.exepid process 1944 ACH Payment Initiated & Received.exe 1944 ACH Payment Initiated & Received.exe 1944 ACH Payment Initiated & Received.exe 1944 ACH Payment Initiated & Received.exe 1944 ACH Payment Initiated & Received.exe 1944 ACH Payment Initiated & Received.exe 1108 ACH Payment Initiated & Received.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ACH Payment Initiated & Received.exeACH Payment Initiated & Received.exedescription pid process Token: SeDebugPrivilege 1944 ACH Payment Initiated & Received.exe Token: SeDebugPrivilege 1108 ACH Payment Initiated & Received.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
ACH Payment Initiated & Received.exedescription pid process target process PID 1944 wrote to memory of 968 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 968 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 968 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 968 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1700 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1700 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1700 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1700 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 560 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 560 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 560 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 560 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1704 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1704 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1704 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1704 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe PID 1944 wrote to memory of 1108 1944 ACH Payment Initiated & Received.exe ACH Payment Initiated & Received.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"C:\Users\Admin\AppData\Local\Temp\ACH Payment Initiated & Received.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-65-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1108-66-0x00000000004643FE-mapping.dmp
-
memory/1108-67-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1108-69-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1944-59-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1944-61-0x00000000002C0000-0x00000000002C9000-memory.dmpFilesize
36KB
-
memory/1944-62-0x00000000044B0000-0x00000000044B1000-memory.dmpFilesize
4KB
-
memory/1944-63-0x0000000004F40000-0x0000000004FAA000-memory.dmpFilesize
424KB
-
memory/1944-64-0x0000000007440000-0x00000000074AF000-memory.dmpFilesize
444KB