Analysis
-
max time kernel
113s -
max time network
116s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27-09-2021 17:31
Static task
static1
Behavioral task
behavioral1
Sample
GUÍA DE CARGA...exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
GUÍA DE CARGA...exe
Resource
win10-en-20210920
General
-
Target
GUÍA DE CARGA...exe
-
Size
318KB
-
MD5
fcce8f5a7e5fcdf78c02d6543c1af2bd
-
SHA1
b2ea7197933811fc65425d46324af8ee231117f3
-
SHA256
9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0
-
SHA512
dbdb5ca75513d15f94a14ca771fbb55e3d4ba204b3d9ce243327b439e28ffd01c4a7f7ee7dda34c43ac1c3f51c5abd420ccb54af1e80d32e5c7cbe899b787537
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.24310.gr - Port:
587 - Username:
24310@24310.gr - Password:
?_bEpvL{rN$%
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Loads dropped DLL 1 IoCs
Processes:
GUÍA DE CARGA...exepid process 3524 GUÍA DE CARGA...exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 checkip.dyndns.org 4 freegeoip.app 5 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GUÍA DE CARGA...exedescription pid process target process PID 3524 set thread context of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
GUÍA DE CARGA...exepid process 3612 GUÍA DE CARGA...exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
GUÍA DE CARGA...exedescription pid process Token: SeDebugPrivilege 3612 GUÍA DE CARGA...exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
GUÍA DE CARGA...exedescription pid process target process PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe PID 3524 wrote to memory of 3612 3524 GUÍA DE CARGA...exe GUÍA DE CARGA...exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GUÍA DE CARGA...exe"C:\Users\Admin\AppData\Local\Temp\GUÍA DE CARGA...exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GUÍA DE CARGA...exe"C:\Users\Admin\AppData\Local\Temp\GUÍA DE CARGA...exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsk94B5.tmp\sbolbwplhfo.dllMD5
1982c77d094d91ea36d299f4e8879b9e
SHA14faf7dd4bf9f8bec2c0f421980b8fb2ab628835d
SHA2567660cdd2db7356c36acb9d2472ac2c89ebdfd79eef56de9dbfed34fcde381790
SHA51275ca8a3ba5dd36c30805c13f5739f9e868d48aaa84d20a1e3b58923580726e40a3e4b850c66646ca1ee9ae46ae7a8accff089d5bade2677d7e8b4438087ed3ba
-
memory/3612-116-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/3612-117-0x000000000040188B-mapping.dmp
-
memory/3612-118-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/3612-119-0x0000000002190000-0x00000000021C5000-memory.dmpFilesize
212KB
-
memory/3612-121-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/3612-122-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/3612-124-0x0000000004A62000-0x0000000004A63000-memory.dmpFilesize
4KB
-
memory/3612-123-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/3612-126-0x0000000004A64000-0x0000000004A65000-memory.dmpFilesize
4KB
-
memory/3612-125-0x0000000004A63000-0x0000000004A64000-memory.dmpFilesize
4KB
-
memory/3612-127-0x0000000005800000-0x0000000005801000-memory.dmpFilesize
4KB
-
memory/3612-128-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/3612-129-0x0000000005CB0000-0x0000000005CB1000-memory.dmpFilesize
4KB