Overview

overview

10

Static

static

Bank contract,PDF.exe

windows7_x64

10

Bank contract,PDF.exe

windows10_x64

10

Analysis

  • max time kernel
    79s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    22-07-2021 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank contract,PDF.exe

  • Size

    626KB

  • MD5

    78015f9defe5b97192708769bd57afc3

  • SHA1

    c415ba40d88e682fc6aaf2932ab598b1c3f2aeb6

  • SHA256

    b6f371e3895f840676f1b3716f92f078ae5b57d80b19adece970e4e013700e60

  • SHA512

    08686d0638bdba03718c2739ecc98f8f8aa9dc97358f377ab2586d0b81f62461c7ec8e1b2f4c9ff3d69a96934c8f1eafe3b73f059bdf1ff14172730d22a7fd20

Score
10/10
snakekeyloggerkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    465
  • Username:
    [email protected]
  • Password:
    Bigman@2021pc
C2

https://api.telegram.org/bot1845238130:AAHi6gsFs5hUVM4gq6AZswKJ0BHdbnMgjsI/sendMessage?chat_id=Draww72Bot

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bank contract,PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Bank contract,PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Users\Admin\AppData\Local\Temp\Bank contract,PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Bank contract,PDF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2004-125-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/2004-132-0x0000000006270000-0x0000000006271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2004-131-0x0000000004E60000-0x000000000535E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2004-126-0x000000000041F8AE-mapping.dmp
    Download
  • memory/4016-121-0x0000000004FA0000-0x000000000503C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4016-120-0x00000000052E0000-0x00000000052E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4016-114-0x00000000005E0000-0x00000000005E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4016-122-0x0000000006BE0000-0x0000000006BFB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4016-123-0x00000000010D0000-0x0000000001134000-memory.dmp
    Filesize

    400KB

    Download
  • memory/4016-124-0x0000000000B00000-0x0000000000B25000-memory.dmp
    Filesize

    148KB

    Download
  • memory/4016-119-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4016-118-0x00000000050E0000-0x00000000050E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4016-117-0x00000000055E0000-0x00000000055E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4016-116-0x0000000005040000-0x0000000005041000-memory.dmp
    Filesize

    4KB

    Download