Analysis
-
max time kernel
124s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
04-05-2021 15:24
General
-
Target
DHL 4677348255142.exe
-
Size
606KB
-
MD5
4eb10dfd43a4d6415e554316cd1bc288
-
SHA1
0a488404456576535cb7acbbaa948fc5053f30f5
-
SHA256
6cf104c9a72fd0d57d3a9e6be82836cb66e74a89cac1890d36a37c8d7452cd8c
-
SHA512
9605a587666642348e3b0c56b3f98b190e3c74f5aa3b42255e30148d6168473ec8990d71e813c12ecf84e4e6b8f01b5bd84ef6372050eff88402704eb3c2c44c
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.almatls.com - Port:
587 - Username:
ewalogs@almatls.com - Password:
0c0qf7xTL1
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL 4677348255142.exe"C:\Users\Admin\AppData\Local\Temp\DHL 4677348255142.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfTQyYsAKIAw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp340B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DHL 4677348255142.exe"C:\Users\Admin\AppData\Local\Temp\DHL 4677348255142.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp340B.tmpMD5
a59943c8c5b83bd1ffce73e82071623d
SHA1c63d168e125daec6541f34854123f208b541aa3f
SHA2563d00558329cbe1402c85b2955cbd484c3ffe75e65c757c1cbeb984ef624885b1
SHA51245f751d62b7ada712c92e304260292f452593bb010d075e77213651643617f109e486ab3c2e745f1b7ed9118bf6ea7ecdb20bdb1fb80a9f84d8a9e38475a0e29
-
memory/280-60-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/280-62-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/280-63-0x0000000000560000-0x000000000056E000-memory.dmpFilesize
56KB
-
memory/280-64-0x0000000004780000-0x00000000047E7000-memory.dmpFilesize
412KB
-
memory/280-65-0x0000000004E00000-0x0000000004E6B000-memory.dmpFilesize
428KB
-
memory/1312-66-0x0000000000000000-mapping.dmp
-
memory/1504-68-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1504-69-0x00000000004645CE-mapping.dmp
-
memory/1504-70-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1504-72-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB