ede697a91e18c73baf01ca677aa33917.exe

General
Target

ede697a91e18c73baf01ca677aa33917.exe

Filesize

634KB

Completed

27-07-2021 16:10

Score
10 /10
MD5

ede697a91e18c73baf01ca677aa33917

SHA1

699f96d0a34bfacd78a8530f507769d5d18dccc5

SHA256

1e2785c94e1501731c09b13b6f8156548704a36dd5b220efab73c06ed4fd6bfc

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: bh-16.webhostbox.net

Port: 587

Username: whesilolog@miratechs.gq

Password: 7213575aceACE@#$

Signatures 8

Filter: none

  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

  • CustAttr .NET packer

    Description

    Detects CustAttr .NET packer in memory.

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3156-121-0x0000000005160000-0x000000000516B000-memory.dmpCustAttr
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    14checkip.dyndns.org
  • Suspicious use of SetThreadContext
    ede697a91e18c73baf01ca677aa33917.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3156 set thread context of 39963156ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    36563996WerFault.exeede697a91e18c73baf01ca677aa33917.exe
  • Suspicious behavior: EnumeratesProcesses
    ede697a91e18c73baf01ca677aa33917.exeWerFault.exe

    Reported IOCs

    pidprocess
    3996ede697a91e18c73baf01ca677aa33917.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
    3656WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    ede697a91e18c73baf01ca677aa33917.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3996ede697a91e18c73baf01ca677aa33917.exe
    Token: SeRestorePrivilege3656WerFault.exe
    Token: SeBackupPrivilege3656WerFault.exe
    Token: SeDebugPrivilege3656WerFault.exe
  • Suspicious use of WriteProcessMemory
    ede697a91e18c73baf01ca677aa33917.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3156 wrote to memory of 39963156ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 3156 wrote to memory of 39963156ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 3156 wrote to memory of 39963156ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 3156 wrote to memory of 39963156ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 3156 wrote to memory of 39963156ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 3156 wrote to memory of 39963156ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 3156 wrote to memory of 39963156ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
    PID 3156 wrote to memory of 39963156ede697a91e18c73baf01ca677aa33917.exeede697a91e18c73baf01ca677aa33917.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe
    "C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe
      "C:\Users\Admin\AppData\Local\Temp\ede697a91e18c73baf01ca677aa33917.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1448
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:3656
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ede697a91e18c73baf01ca677aa33917.exe.log

                            MD5

                            c3cc52ccca9ff2b6fa8d267fc350ca6b

                            SHA1

                            a68d4028333296d222e4afd75dea36fdc98d05f3

                            SHA256

                            3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

                            SHA512

                            b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

                          • memory/3156-114-0x00000000002D0000-0x00000000002D1000-memory.dmp

                          • memory/3156-117-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

                          • memory/3156-118-0x0000000004D20000-0x0000000004D21000-memory.dmp

                          • memory/3156-119-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

                          • memory/3156-120-0x0000000004D20000-0x000000000521E000-memory.dmp

                          • memory/3156-121-0x0000000005160000-0x000000000516B000-memory.dmp

                          • memory/3156-122-0x0000000006E90000-0x0000000006EF8000-memory.dmp

                          • memory/3156-123-0x0000000006F10000-0x0000000006F36000-memory.dmp

                          • memory/3156-116-0x0000000005220000-0x0000000005221000-memory.dmp

                          • memory/3996-124-0x0000000000400000-0x0000000000424000-memory.dmp

                          • memory/3996-125-0x000000000041F89E-mapping.dmp

                          • memory/3996-131-0x0000000005400000-0x00000000058FE000-memory.dmp