ede697a91e18c73baf01ca677aa33917.exe

General
Target

ede697a91e18c73baf01ca677aa33917.exe

Filesize

634KB

Completed

27-07-2021 16:10

Score
10 /10
MD5

ede697a91e18c73baf01ca677aa33917

SHA1

699f96d0a34bfacd78a8530f507769d5d18dccc5

SHA256

1e2785c94e1501731c09b13b6f8156548704a36dd5b220efab73c06ed4fd6bfc

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: bh-16.webhostbox.net

Port: 587

Username: whesilolog@miratechs.gq

Password: 7213575aceACE@#$

Signatures 10

Filter: none

Collection
Credential Access
  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/676-62-0x0000000000540000-0x000000000054B000-memory.dmpCustAttr
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    8freegeoip.app
    9freegeoip.app
    4checkip.dyndns.org
  • Suspicious use of SetThreadContext
    ede697a91e18c73baf01ca677aa33917.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 676 set thread context of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
  • Suspicious behavior: EnumeratesProcesses
    ede697a91e18c73baf01ca677aa33917.exe

    Reported IOCs

    pidprocess
    1580ede697a91e18c73baf01ca677aa33917.exe
  • Suspicious use of AdjustPrivilegeToken
    ede697a91e18c73baf01ca677aa33917.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1580ede697a91e18c73baf01ca677aa33917.exe
  • Suspicious use of WriteProcessMemory
    ede697a91e18c73baf01ca677aa33917.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 676 wrote to memory of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 676 wrote to memory of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 676 wrote to memory of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 676 wrote to memory of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 676 wrote to memory of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 676 wrote to memory of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 676 wrote to memory of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 676 wrote to memory of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 676 wrote to memory of 1580676ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe
    "C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:676
    • C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe
      "C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1580
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/676-59-0x0000000000880000-0x0000000000881000-memory.dmp

                      • memory/676-61-0x0000000004C60000-0x0000000004C61000-memory.dmp

                      • memory/676-62-0x0000000000540000-0x000000000054B000-memory.dmp

                      • memory/676-63-0x0000000007D80000-0x0000000007DE8000-memory.dmp

                      • memory/676-64-0x0000000000650000-0x0000000000676000-memory.dmp

                      • memory/1580-65-0x0000000000400000-0x0000000000424000-memory.dmp

                      • memory/1580-66-0x000000000041F89E-mapping.dmp

                      • memory/1580-67-0x0000000000400000-0x0000000000424000-memory.dmp

                      • memory/1580-69-0x0000000004AB0000-0x0000000004AB1000-memory.dmp