a28c434e703d9d0961f526f87a61109c.exe

General
Target

a28c434e703d9d0961f526f87a61109c.exe

Filesize

662KB

Completed

25-11-2021 16:49

Score
10/10
MD5

a28c434e703d9d0961f526f87a61109c

SHA1

c18ce22d993ee202d7c4e91aeda8f602a1ddb054

SHA256

1a58c708f0c8b203949c9f180813f7fd6665b2f7bbf6f474b39d94e3d6638a30

Malware Config

Extracted

Family snakekeylogger
Credentials

Protocol: smtp

Host: octfirr.shop

Port: 587

Username: income@octfirr.shop

Password: oPU]A^_2)Udl

Signatures 12

Filter: none

Collection
Credential Access
  • Snake Keylogger

    Description

    Keylogger and Infostealer first seen in November 2020.

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses Microsoft Outlook profiles
    a28c434e703d9d0961f526f87a61109c.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676a28c434e703d9d0961f526f87a61109c.exe
    Key opened\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676a28c434e703d9d0961f526f87a61109c.exe
    Key opened\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676a28c434e703d9d0961f526f87a61109c.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    22checkip.dyndns.org
    25freegeoip.app
    26freegeoip.app
  • Suspicious use of SetThreadContext
    a28c434e703d9d0961f526f87a61109c.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3672 set thread context of 9723672a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe
  • Suspicious behavior: EnumeratesProcesses
    a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe

    Reported IOCs

    pidprocess
    3672a28c434e703d9d0961f526f87a61109c.exe
    3672a28c434e703d9d0961f526f87a61109c.exe
    3672a28c434e703d9d0961f526f87a61109c.exe
    972a28c434e703d9d0961f526f87a61109c.exe
  • Suspicious use of AdjustPrivilegeToken
    a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3672a28c434e703d9d0961f526f87a61109c.exe
    Token: SeDebugPrivilege972a28c434e703d9d0961f526f87a61109c.exe
  • Suspicious use of WriteProcessMemory
    a28c434e703d9d0961f526f87a61109c.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3672 wrote to memory of 9723672a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe
    PID 3672 wrote to memory of 9723672a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe
    PID 3672 wrote to memory of 9723672a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe
    PID 3672 wrote to memory of 9723672a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe
    PID 3672 wrote to memory of 9723672a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe
    PID 3672 wrote to memory of 9723672a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe
    PID 3672 wrote to memory of 9723672a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe
    PID 3672 wrote to memory of 9723672a28c434e703d9d0961f526f87a61109c.exea28c434e703d9d0961f526f87a61109c.exe
  • outlook_office_path
    a28c434e703d9d0961f526f87a61109c.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676a28c434e703d9d0961f526f87a61109c.exe
  • outlook_win_path
    a28c434e703d9d0961f526f87a61109c.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676a28c434e703d9d0961f526f87a61109c.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe
    "C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe
      C:\Users\Admin\AppData\Local\Temp\a28c434e703d9d0961f526f87a61109c.exe
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:972
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a28c434e703d9d0961f526f87a61109c.exe.log

                        MD5

                        10e24c22b1795d288fb8a915db04a7f1

                        SHA1

                        595e82869944ffad9577b4927084cbf0495e6c39

                        SHA256

                        858c0144b55f4b3d33b00ec7c91c6d891ffbfcca694afd7115ce767119c9b759

                        SHA512

                        262b15d857618556aa7e0943a41698f03b5d4bd50e3cd53862f30a8dbbaca30ce7aa1cbd7baf8a5f3d046190c5be2cd8d6ad39f2842c030e2c68974a9935ab95

                      • memory/972-133-0x0000000005F20000-0x0000000005F21000-memory.dmp

                      • memory/972-132-0x0000000002850000-0x0000000002851000-memory.dmp

                      • memory/972-131-0x0000000004E30000-0x0000000004E31000-memory.dmp

                      • memory/972-126-0x00000000004204CE-mapping.dmp

                      • memory/972-125-0x0000000000400000-0x0000000000426000-memory.dmp

                      • memory/3672-123-0x00000000055A0000-0x00000000055BB000-memory.dmp

                      • memory/3672-122-0x0000000005570000-0x0000000005597000-memory.dmp

                      • memory/3672-124-0x0000000005700000-0x0000000005701000-memory.dmp

                      • memory/3672-121-0x00000000052D0000-0x00000000057CE000-memory.dmp

                      • memory/3672-120-0x0000000005690000-0x0000000005691000-memory.dmp

                      • memory/3672-119-0x00000000055F0000-0x00000000055F1000-memory.dmp

                      • memory/3672-118-0x00000000052D0000-0x000000000534B000-memory.dmp

                      • memory/3672-117-0x00000000057D0000-0x00000000057D1000-memory.dmp

                      • memory/3672-115-0x00000000008B0000-0x00000000008B1000-memory.dmp