Analysis
-
max time kernel
104s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 13:07
Static task
static1
Behavioral task
behavioral1
Sample
invoice.02 Nazih El Chouli.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
invoice.02 Nazih El Chouli.exe
Resource
win10v20210410
General
-
Target
invoice.02 Nazih El Chouli.exe
-
Size
31KB
-
MD5
5898734f512fe21e26447c8b28fe802f
-
SHA1
eefb6ef334e0ae3fe1316256831a087d412f6008
-
SHA256
fb04731280999bb99a45d6473b6fd1d8a9cad45654ee21d7a5ca89b8a6a7e41e
-
SHA512
5f1dbfdc7fd4f091b4a531a1101256ff697cf68d46a231cb08919236de97230d7d26ebe5a34142fcc738a737421b12b5589da180581c32e3cedddc8511a75841
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
Smtp.vivaldi.net - Port:
587 - Username:
samueln@vivaldi.net - Password:
DU5DwYRUQdyQQCt
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
suricata: ET MALWARE DTLoader Binary Request M2
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 checkip.dyndns.org 14 freegeoip.app 15 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice.02 Nazih El Chouli.exedescription pid process target process PID 3968 set thread context of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
invoice.02 Nazih El Chouli.exepid process 1448 invoice.02 Nazih El Chouli.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
invoice.02 Nazih El Chouli.exeinvoice.02 Nazih El Chouli.exedescription pid process Token: SeDebugPrivilege 3968 invoice.02 Nazih El Chouli.exe Token: SeDebugPrivilege 1448 invoice.02 Nazih El Chouli.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
invoice.02 Nazih El Chouli.exedescription pid process target process PID 3968 wrote to memory of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 3968 wrote to memory of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 3968 wrote to memory of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 3968 wrote to memory of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 3968 wrote to memory of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 3968 wrote to memory of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 3968 wrote to memory of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe PID 3968 wrote to memory of 1448 3968 invoice.02 Nazih El Chouli.exe invoice.02 Nazih El Chouli.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"C:\Users\Admin\AppData\Local\Temp\invoice.02 Nazih El Chouli.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.02 Nazih El Chouli.exe.logMD5
4d3fa08fb66fd6514e34ae902f8d2292
SHA146b598199af1d91abd2534dbc0cbcc7022e51c88
SHA2563182d0e332f73af730d569df96b097a77a5cd98c91a56d5c57b85a105332a753
SHA5127fa1c64c5555837286d4bf9448c5a2bac9ebb62c3966eff063f7fe4fa5c4076930c6505f04940fb4b38ea240f319b94fde4de4c3d7ac5c1f83fce99b33f6620a
-
memory/1448-126-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/1448-121-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1448-122-0x000000000041F82E-mapping.dmp
-
memory/1448-128-0x0000000005260000-0x000000000575E000-memory.dmpFilesize
5.0MB
-
memory/1448-129-0x0000000006570000-0x0000000006571000-memory.dmpFilesize
4KB
-
memory/1448-130-0x0000000006470000-0x0000000006471000-memory.dmpFilesize
4KB
-
memory/1448-131-0x0000000006430000-0x0000000006431000-memory.dmpFilesize
4KB
-
memory/3968-117-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/3968-118-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/3968-119-0x0000000005E70000-0x0000000005E71000-memory.dmpFilesize
4KB
-
memory/3968-120-0x0000000006140000-0x0000000006147000-memory.dmpFilesize
28KB
-
memory/3968-116-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/3968-114-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB