Overview

overview

10

Static

static

ORDER SKYM...DF.exe

windows7_x64

10

ORDER SKYM...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    64s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-07-2021 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER SKYMET 847759 REVISED PDF.exe

  • Size

    750KB

  • MD5

    3a6c8c240828559138a59cfec12aa081

  • SHA1

    c2fe87c26bad47966cdd35d1cfca72c7e4001391

  • SHA256

    5d05226e0bd6559409b3c0e393ff6e663792d0adb27f9145500a10894e16bd36

  • SHA512

    7f12ee6c73e90716e8336856c2be087c9321cedd0bab18ab34010919c0153a74aa75075b8d5d62632aa4555bacd24c47948c5ac0254b5a5208a074bce5780131

Score
10/10
snakekeyloggerkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.haohuatlre.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    babakings32

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FTWxHbopLRk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp43E0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2116
    • C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe"
      2⤵
        PID:1192
      • C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe"
        2⤵
          PID:1284
        • C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe"
          2⤵
            PID:1276
          • C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe
            "C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe"
            2⤵
              PID:1484
            • C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe
              "C:\Users\Admin\AppData\Local\Temp\ORDER SKYMET 847759 REVISED PDF.exe"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:3524

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp43E0.tmp
            MD5

            d474e7c3e0721c1e1ac00d8425fcfed1

            SHA1

            8f38353d66f2d947f1316443f6816b5d08e33dcf

            SHA256

            75a8e4d0514e3bc21cf7dca91559dbbc3cc0c4b1f6155115bd04cc3631a29306

            SHA512

            f6a49515f470df588dc86861be895998c2ddb3dbb63173536d4442b463a8240bfa35ae52c509f87dbd63288bdf5375e9e4e418b30f90dc9d511ae1d43d48c4a7

            Download Submit

          • memory/2116-124-0x0000000000000000-mapping.dmp

            Download

          • memory/3524-135-0x0000000006C90000-0x0000000006C91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3524-132-0x0000000002E70000-0x0000000002E71000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3524-127-0x000000000041F9CE-mapping.dmp

            Download

          • memory/3524-126-0x0000000000400000-0x0000000000424000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3728-118-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3728-122-0x00000000083F0000-0x000000000845B000-memory.dmp

            Filesize

            428KB

            Download

          • memory/3728-123-0x0000000008460000-0x0000000008486000-memory.dmp

            Filesize

            152KB

            Download

          • memory/3728-121-0x0000000004ED0000-0x0000000004EEB000-memory.dmp

            Filesize

            108KB

            Download

          • memory/3728-120-0x0000000004E50000-0x000000000534E000-memory.dmp

            Filesize

            5.0MB

            Download

          • memory/3728-119-0x0000000004D20000-0x0000000004D21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3728-114-0x0000000000430000-0x0000000000431000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3728-117-0x0000000004D30000-0x0000000004D31000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3728-116-0x0000000005350000-0x0000000005351000-memory.dmp

            Filesize

            4KB

            Download