Presupuesto urgente PST56654256778982, pdf.exe

General
Target

Presupuesto urgente PST56654256778982, pdf.exe

Filesize

852KB

Completed

04-05-2021 15:28

Score
10 /10
MD5

d6b608c55871cf8d00f5daacd3d8c858

SHA1

3a53fd8d9d5e5b136aea4083f6881a18c59414ef

SHA256

acb59cfe4c0dcdfdbc835fce99582cae54d6d3afb2233eab94a0a22bfd2c2dd7

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: smtp.endovision.xyz

Port: 587

Username: info@endovision.xyz

Password: r)($czxJs0

Signatures 9

Filter: none

Collection
Credential Access
  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/892-66-0x0000000000400000-0x000000000046A000-memory.dmpfamily_snakekeylogger
    behavioral1/memory/892-67-0x00000000004643FE-mapping.dmpfamily_snakekeylogger
    behavioral1/memory/892-68-0x0000000000400000-0x000000000046A000-memory.dmpfamily_snakekeylogger
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    10freegeoip.app
    11freegeoip.app
    5checkip.dyndns.org
  • Suspicious use of SetThreadContext
    Presupuesto urgente PST56654256778982, pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1996 set thread context of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
  • Suspicious behavior: EnumeratesProcesses
    Presupuesto urgente PST56654256778982, pdf.exe

    Reported IOCs

    pidprocess
    892Presupuesto urgente PST56654256778982, pdf.exe
  • Suspicious use of AdjustPrivilegeToken
    Presupuesto urgente PST56654256778982, pdf.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege892Presupuesto urgente PST56654256778982, pdf.exe
  • Suspicious use of WriteProcessMemory
    Presupuesto urgente PST56654256778982, pdf.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1996 wrote to memory of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
    PID 1996 wrote to memory of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
    PID 1996 wrote to memory of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
    PID 1996 wrote to memory of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
    PID 1996 wrote to memory of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
    PID 1996 wrote to memory of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
    PID 1996 wrote to memory of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
    PID 1996 wrote to memory of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
    PID 1996 wrote to memory of 8921996Presupuesto urgente PST56654256778982, pdf.exePresupuesto urgente PST56654256778982, pdf.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\Presupuesto urgente PST56654256778982, pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Presupuesto urgente PST56654256778982, pdf.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\Presupuesto urgente PST56654256778982, pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Presupuesto urgente PST56654256778982, pdf.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:892
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/892-67-0x00000000004643FE-mapping.dmp

                      • memory/892-68-0x0000000000400000-0x000000000046A000-memory.dmp

                      • memory/892-70-0x0000000004870000-0x0000000004871000-memory.dmp

                      • memory/892-66-0x0000000000400000-0x000000000046A000-memory.dmp

                      • memory/1996-64-0x0000000005000000-0x00000000050A0000-memory.dmp

                      • memory/1996-65-0x0000000007580000-0x000000000761D000-memory.dmp

                      • memory/1996-60-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

                      • memory/1996-62-0x00000000004A0000-0x00000000004A1000-memory.dmp

                      • memory/1996-63-0x0000000000500000-0x000000000050E000-memory.dmp