Analysis

  • max time kernel
    67s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 22:03

General

  • Target

    fatura.exe

  • Size

    1.1MB

  • MD5

    6a9d0ec45e52137abf05b546151dc664

  • SHA1

    2ea215c3bac1316746fb0ddb9ad7be216a596220

  • SHA256

    9c247a73a2b93a70b14c37b1dbf564f38db8bb9a0e7160de1971655a4e02950a

  • SHA512

    4b0a78c6da7c010c81d36d1e9ae70b60059e1e19b589221329bb447d798db0b36015e07fe7c282fc0250b409845376dd8e1651725cd8783883084d9891de994e

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.ergrafica.com.ar
  • Port:
    587
  • Username:
    trabajos@ergrafica.com.ar
  • Password:
    25834931Cecilia

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fatura.exe
    "C:\Users\Admin\AppData\Local\Temp\fatura.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Users\Admin\AppData\Local\Temp\fatura.exe
      "C:\Users\Admin\AppData\Local\Temp\fatura.exe"
      2⤵
        PID:4064
      • C:\Users\Admin\AppData\Local\Temp\fatura.exe
        "C:\Users\Admin\AppData\Local\Temp\fatura.exe"
        2⤵
          PID:3904
        • C:\Users\Admin\AppData\Local\Temp\fatura.exe
          "C:\Users\Admin\AppData\Local\Temp\fatura.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4024
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 1376
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3952

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\fatura.exe.log
        MD5

        568e6f2b186c39075772d775e4189f57

        SHA1

        02f642cfdd1491b1ce69e81925ed336975e2f972

        SHA256

        d29bbfbb510acd8716133feeade8f914076963ccc38abb4b5a64a8d32bac44e4

        SHA512

        ef3b7f6d6b355c41ca9abb40d769622ea3f79787d8d2501ad5a135fa5cc78712175190386c8e05ee863a3bc046bc09eee22310555d31e4d57a4652f280283156

      • memory/3952-120-0x0000000000000000-mapping.dmp
      • memory/4024-116-0x0000000000400000-0x0000000000448000-memory.dmp
        Filesize

        288KB

      • memory/4024-117-0x000000000044285E-mapping.dmp
      • memory/4024-119-0x0000000002920000-0x0000000002921000-memory.dmp
        Filesize

        4KB

      • memory/4036-114-0x00000000032F0000-0x00000000032F1000-memory.dmp
        Filesize

        4KB

      • memory/4036-115-0x00000000032F1000-0x00000000032F2000-memory.dmp
        Filesize

        4KB