Overview

overview

10

Static

static

2BABA new file.exe

windows7_x64

10

2BABA new file.exe

windows10_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    18-10-2021 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2BABA new file.exe

  • Size

    449KB

  • MD5

    1a403d5b4db5509524bfd552afbc96f1

  • SHA1

    39a3ca238648f4f86741d6b94a190e0379aa7307

  • SHA256

    82b5be618f705ff7761c43590eb7dc89a2387512757dcc0df9290f29801b8f41

  • SHA512

    8de7ab3405bd1160fe09affac878ec8c252853cc6904d784ab1bcb4a5a1f43263ff917727149badcff74ac60443390b66dd5fe2c6400dd2d0805f39bcf5a0099

Score
10/10
snakekeyloggercollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.algodontekstil.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Alg001453

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe
    "C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe"
    1⤵
    • Windows security modification
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:1420
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3968
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2BABA new file.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    db01a2c1c7e70b2b038edf8ad5ad9826

    SHA1

    540217c647a73bad8d8a79e3a0f3998b5abd199b

    SHA256

    413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

    SHA512

    c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    8fd8786b441ad9c235c2507f6d35a6d0

    SHA1

    899eb544764e1eafb3bf90f2954257aae2a11859

    SHA256

    a849c13fe0e200964e31ec8d120f07c56f6cf78fefc9bdec56db5cfc4cfbc304

    SHA512

    ca8cf2fe25dfe94b227271d5b94e6763b0af826ced0325d156f95ecb51bc3f48bb052ba73e14fb565cfbe9e52db260fc50f8034b76a7c49de53343dc0f15bf48

    Download Submit
  • memory/516-153-0x00000000079C0000-0x00000000079C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-136-0x0000000001210000-0x0000000001211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-197-0x0000000001213000-0x0000000001214000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-139-0x0000000006B00000-0x0000000006B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-194-0x000000007E4F0000-0x000000007E4F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-184-0x0000000008910000-0x0000000008911000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-156-0x00000000001D0000-0x00000000001D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-125-0x0000000000000000-mapping.dmp
    Download
  • memory/516-149-0x0000000006BC0000-0x0000000006BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-129-0x00000000001D0000-0x00000000001D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-130-0x00000000001D0000-0x00000000001D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-137-0x0000000001212000-0x0000000001213000-memory.dmp
    Filesize

    4KB

    Download
  • memory/516-132-0x00000000010E0000-0x00000000010E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1420-123-0x0000000009BC0000-0x0000000009BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1420-148-0x0000000009DB0000-0x0000000009DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1420-131-0x0000000006700000-0x000000000671F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1420-122-0x000000000A020000-0x000000000A021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1420-141-0x000000000A990000-0x000000000A991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1420-121-0x00000000099E0000-0x0000000009B15000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1420-117-0x0000000004D10000-0x0000000004D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1420-118-0x0000000006660000-0x0000000006661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1420-115-0x0000000000330000-0x0000000000331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-152-0x00000000085D0000-0x00000000085D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-126-0x0000000000F60000-0x0000000000F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-135-0x0000000007580000-0x0000000007581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-146-0x0000000007E20000-0x0000000007E21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-155-0x0000000000F60000-0x0000000000F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-127-0x0000000000F60000-0x0000000000F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-169-0x00000000092E0000-0x0000000009313000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3968-128-0x0000000004B30000-0x0000000004B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-193-0x000000007EF20000-0x000000007EF21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3968-198-0x0000000004B33000-0x0000000004B34000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-138-0x0000000004B32000-0x0000000004B33000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-144-0x0000000007CB0000-0x0000000007CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-142-0x0000000007D70000-0x0000000007D71000-memory.dmp
    Filesize

    4KB

    Download