Analysis
-
max time kernel
64s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-07-2021 12:40
Static task
static1
Behavioral task
behavioral1
Sample
whesilox.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
whesilox.exe
Resource
win10v20210410
General
-
Target
whesilox.exe
-
Size
715KB
-
MD5
facd1c07ffcfb16de518d0c977814d92
-
SHA1
27aa313a64ff37d6c31bd1a0a9953f00a48b3408
-
SHA256
e7488c44d2b9f78f7c5e96126798220cbc3a7faf749beab4b8545207a73ce0d1
-
SHA512
b6332e6de6b41014db759a1fb0c25996ee20f8be1c4f1a792d957a2b7edbb366b0378884e82fc497f707589ad1afd0bfc3b83c69919e897f8b9acf13edb10f33
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
bh-16.webhostbox.net - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 checkip.dyndns.org 13 freegeoip.app 14 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
whesilox.exedescription pid process target process PID 360 set thread context of 564 360 whesilox.exe whesilox.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
whesilox.exepid process 564 whesilox.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
whesilox.exedescription pid process Token: SeDebugPrivilege 564 whesilox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
whesilox.exedescription pid process target process PID 360 wrote to memory of 564 360 whesilox.exe whesilox.exe PID 360 wrote to memory of 564 360 whesilox.exe whesilox.exe PID 360 wrote to memory of 564 360 whesilox.exe whesilox.exe PID 360 wrote to memory of 564 360 whesilox.exe whesilox.exe PID 360 wrote to memory of 564 360 whesilox.exe whesilox.exe PID 360 wrote to memory of 564 360 whesilox.exe whesilox.exe PID 360 wrote to memory of 564 360 whesilox.exe whesilox.exe PID 360 wrote to memory of 564 360 whesilox.exe whesilox.exe PID 360 wrote to memory of 564 360 whesilox.exe whesilox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\whesilox.exe"C:\Users\Admin\AppData\Local\Temp\whesilox.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\whesilox.exe"C:\Users\Admin\AppData\Local\Temp\whesilox.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/360-60-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/360-62-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/360-63-0x00000000002C0000-0x00000000002DB000-memory.dmpFilesize
108KB
-
memory/360-64-0x0000000004B70000-0x0000000004BD4000-memory.dmpFilesize
400KB
-
memory/360-65-0x0000000000A60000-0x0000000000A86000-memory.dmpFilesize
152KB
-
memory/564-66-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/564-67-0x000000000041F89E-mapping.dmp
-
memory/564-68-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/564-70-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB