Overview

overview

10

Static

static

8

Fattura_01137434.xlsm

windows7_x64

1

Fattura_01137434.xlsm

windows10_x64

1

Fattura_01438445.xlsm

windows7_x64

1

Fattura_01438445.xlsm

windows10_x64

1

Fattura_01634446.xlsm

windows7_x64

1

Fattura_01634446.xlsm

windows10_x64

1

IMG_056_107_0282.exe

windows7_x64

10

IMG_056_107_0282.exe

windows10_x64

10

IMG_056_107_0282.xlsx

windows7_x64

8

IMG_056_107_0282.xlsx

windows10_x64

1

IMG_5018_330_92.exe

windows7_x64

10

IMG_5018_330_92.exe

windows10_x64

10

IMG_5018_330_92.xlsx

windows7_x64

8

IMG_5018_330_92.xlsx

windows10_x64

1

PI.exe

windows7_x64

10

PI.exe

windows10_x64

10

cks.exe

windows7_x64

10

cks.exe

windows10_x64

10

Scan_018819.exe

windows7_x64

10

Scan_018819.exe

windows10_x64

10

slot Charges.exe

windows7_x64

10

slot Charges.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    177s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-05-2021 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan_018819.exe

  • Size

    1.0MB

  • MD5

    64325f0e08a364425cb97715a58457af

  • SHA1

    1f2efb3e59fc7120d00c282629eeda230c415a15

  • SHA256

    3a11e93d6c4a21ff966d34fd500c81e69ecd4b63d6906623d3b37ecf4d60bebd

  • SHA512

    ccc2ee4bc6c143d5b59c4a6732de75450d4712b95e2e9db3c815a9f4c78f83761a45e711cfd8843fa8fe7fc8d4d3dfafb1f8b04bc4e3e0363da71a3b8a6c61ca

Score
10/10
snakekeyloggerkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.netalkar.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    sih70111

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Scan_018819.exe
    "C:\Users\Admin\AppData\Local\Temp\Scan_018819.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\Scan_018819.exe
      "C:\Users\Admin\AppData\Local\Temp\Scan_018819.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1088
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1824

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/384-66-0x000000000046441E-mapping.dmp

    Download

  • memory/384-65-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/384-67-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/384-69-0x0000000004C00000-0x0000000004C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1656-59-0x0000000000970000-0x0000000000971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1656-61-0x0000000004E90000-0x0000000004E91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1656-62-0x0000000000440000-0x000000000044E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1656-63-0x0000000005230000-0x00000000052A3000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1656-64-0x00000000052B0000-0x000000000531D000-memory.dmp

    Filesize

    436KB

    Download

  • memory/1824-70-0x0000000000000000-mapping.dmp

    Download

  • memory/1824-71-0x00000000004A0000-0x00000000004A1000-memory.dmp

    Filesize

    4KB

    Download