Analysis
-
max time kernel
79s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 12:01
Static task
static1
Behavioral task
behavioral1
Sample
Bank contract,PDF.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Bank contract,PDF.exe
Resource
win10v20210408
General
-
Target
Bank contract,PDF.exe
-
Size
626KB
-
MD5
78015f9defe5b97192708769bd57afc3
-
SHA1
c415ba40d88e682fc6aaf2932ab598b1c3f2aeb6
-
SHA256
b6f371e3895f840676f1b3716f92f078ae5b57d80b19adece970e4e013700e60
-
SHA512
08686d0638bdba03718c2739ecc98f8f8aa9dc97358f377ab2586d0b81f62461c7ec8e1b2f4c9ff3d69a96934c8f1eafe3b73f059bdf1ff14172730d22a7fd20
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
smtp.yandex.ru - Port:
465 - Username:
[email protected] - Password:
Bigman@2021pc
https://api.telegram.org/bot1845238130:AAHi6gsFs5hUVM4gq6AZswKJ0BHdbnMgjsI/sendMessage?chat_id=Draww72Bot
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org 17 freegeoip.app 18 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank contract,PDF.exedescription pid process target process PID 4016 set thread context of 2004 4016 Bank contract,PDF.exe Bank contract,PDF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Bank contract,PDF.exeBank contract,PDF.exepid process 4016 Bank contract,PDF.exe 2004 Bank contract,PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bank contract,PDF.exeBank contract,PDF.exedescription pid process Token: SeDebugPrivilege 4016 Bank contract,PDF.exe Token: SeDebugPrivilege 2004 Bank contract,PDF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Bank contract,PDF.exedescription pid process target process PID 4016 wrote to memory of 2004 4016 Bank contract,PDF.exe Bank contract,PDF.exe PID 4016 wrote to memory of 2004 4016 Bank contract,PDF.exe Bank contract,PDF.exe PID 4016 wrote to memory of 2004 4016 Bank contract,PDF.exe Bank contract,PDF.exe PID 4016 wrote to memory of 2004 4016 Bank contract,PDF.exe Bank contract,PDF.exe PID 4016 wrote to memory of 2004 4016 Bank contract,PDF.exe Bank contract,PDF.exe PID 4016 wrote to memory of 2004 4016 Bank contract,PDF.exe Bank contract,PDF.exe PID 4016 wrote to memory of 2004 4016 Bank contract,PDF.exe Bank contract,PDF.exe PID 4016 wrote to memory of 2004 4016 Bank contract,PDF.exe Bank contract,PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank contract,PDF.exe"C:\Users\Admin\AppData\Local\Temp\Bank contract,PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\Bank contract,PDF.exe"C:\Users\Admin\AppData\Local\Temp\Bank contract,PDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2004-125-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2004-132-0x0000000006270000-0x0000000006271000-memory.dmpFilesize
4KB
-
memory/2004-131-0x0000000004E60000-0x000000000535E000-memory.dmpFilesize
5.0MB
-
memory/2004-126-0x000000000041F8AE-mapping.dmp
-
memory/4016-121-0x0000000004FA0000-0x000000000503C000-memory.dmpFilesize
624KB
-
memory/4016-120-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/4016-114-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/4016-122-0x0000000006BE0000-0x0000000006BFB000-memory.dmpFilesize
108KB
-
memory/4016-123-0x00000000010D0000-0x0000000001134000-memory.dmpFilesize
400KB
-
memory/4016-124-0x0000000000B00000-0x0000000000B25000-memory.dmpFilesize
148KB
-
memory/4016-119-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/4016-118-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/4016-117-0x00000000055E0000-0x00000000055E1000-memory.dmpFilesize
4KB
-
memory/4016-116-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB