ede697a91e18c73baf01ca677aa33917.exe

General
Target

ede697a91e18c73baf01ca677aa33917.exe

Filesize

634KB

Completed

27-07-2021 15:50

Score
10 /10
MD5

ede697a91e18c73baf01ca677aa33917

SHA1

699f96d0a34bfacd78a8530f507769d5d18dccc5

SHA256

1e2785c94e1501731c09b13b6f8156548704a36dd5b220efab73c06ed4fd6bfc

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: bh-16.webhostbox.net

Port: 587

Username: whesilolog@miratechs.gq

Password: 7213575aceACE@#$

Signatures 8

Filter: none

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1632-62-0x00000000002A0000-0x00000000002AB000-memory.dmpCustAttr
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    5checkip.dyndns.org
  • Suspicious use of SetThreadContext
    ede697a91e18c73baf01ca677aa33917.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1632 set thread context of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    1864856WerFault.exeede697a91e18c73baf01ca677aa33917.exe
  • Suspicious behavior: EnumeratesProcesses
    ede697a91e18c73baf01ca677aa33917.exeWerFault.exe

    Reported IOCs

    pidprocess
    856ede697a91e18c73baf01ca677aa33917.exe
    1864WerFault.exe
    1864WerFault.exe
    1864WerFault.exe
    1864WerFault.exe
    1864WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    ede697a91e18c73baf01ca677aa33917.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege856ede697a91e18c73baf01ca677aa33917.exe
    Token: SeDebugPrivilege1864WerFault.exe
  • Suspicious use of WriteProcessMemory
    ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1632 wrote to memory of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 1632 wrote to memory of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 1632 wrote to memory of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 1632 wrote to memory of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 1632 wrote to memory of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 1632 wrote to memory of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 1632 wrote to memory of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 1632 wrote to memory of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 1632 wrote to memory of 8561632ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 856 wrote to memory of 1864856ede697a91e18c73baf01ca677aa33917.exeWerFault.exe
    PID 856 wrote to memory of 1864856ede697a91e18c73baf01ca677aa33917.exeWerFault.exe
    PID 856 wrote to memory of 1864856ede697a91e18c73baf01ca677aa33917.exeWerFault.exe
    PID 856 wrote to memory of 1864856ede697a91e18c73baf01ca677aa33917.exeWerFault.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe
    "C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe
      "C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 1100
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:1864
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/856-66-0x000000000041F89E-mapping.dmp

                          • memory/856-67-0x0000000000400000-0x0000000000424000-memory.dmp

                          • memory/856-69-0x00000000049D0000-0x00000000049D1000-memory.dmp

                          • memory/856-65-0x0000000000400000-0x0000000000424000-memory.dmp

                          • memory/1632-63-0x0000000005A90000-0x0000000005AF8000-memory.dmp

                          • memory/1632-64-0x0000000000460000-0x0000000000486000-memory.dmp

                          • memory/1632-59-0x0000000001170000-0x0000000001171000-memory.dmp

                          • memory/1632-61-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

                          • memory/1632-62-0x00000000002A0000-0x00000000002AB000-memory.dmp

                          • memory/1864-70-0x0000000000000000-mapping.dmp

                          • memory/1864-71-0x0000000000360000-0x0000000000361000-memory.dmp