Overview

overview

10

Static

static

nakit.exe

windows7_x64

3

nakit.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    02-12-2021 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nakit.exe

  • Size

    587KB

  • MD5

    1c07bd7e68247568357448dc81d45e53

  • SHA1

    88c96369e426a72d3043582115da7aa623b00e66

  • SHA256

    ea11fa5c53db476858902d1ac3a763bf6da8e743b9dc3a508a203b18ffc2d9a5

  • SHA512

    ffdb7e4dd2d67db9bb20ea5d2fd83d12c49feaa7a9ac49ef9c51c2971ce294e42c6db9ac4719b0007ec61f184c854d2004c88cd0d40078f49f6c9631e3ddd35a

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.egesucuklari.com.tr
  • Port:
    587
  • Username:
    info@egesucuklari.com.tr
  • Password:
    EgeTire1966

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nakit.exe
    "C:\Users\Admin\AppData\Local\Temp\nakit.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3760
    • C:\Users\Admin\AppData\Local\Temp\nakit.exe
      "C:\Users\Admin\AppData\Local\Temp\nakit.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nakit.exe.log
    MD5

    f1181bc4bdff57024c4121f645548332

    SHA1

    d431ee3a3a5afcae2c4537b1d445054a0a95f6e6

    SHA256

    f1a7e138b25d0cb24bb4b23bd781b0dd357afd49d45e19ffa44cdb80170336ad

    SHA512

    cf8059f289bcb4f33e82a2c4851fade486bd449793a39718d49bc357efd09689150aedd277c5ebcf79b5ebb4bbe36f0cbb72510a50398bee804ffd9c889604e3

    Download Submit
  • memory/3428-128-0x0000000000400000-0x0000000000426000-memory.dmp
    Filesize

    152KB

    Download
  • memory/3428-136-0x0000000006140000-0x0000000006141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3428-135-0x0000000004E20000-0x000000000531E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3428-129-0x000000000042044E-mapping.dmp
    Download
  • memory/3760-122-0x0000000005780000-0x0000000005C7E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3760-125-0x0000000005BA0000-0x0000000005BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-126-0x0000000006520000-0x0000000006521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-127-0x00000000066C0000-0x000000000673B000-memory.dmp
    Filesize

    492KB

    Download
  • memory/3760-124-0x0000000005760000-0x0000000005768000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3760-123-0x0000000005730000-0x0000000005731000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-118-0x0000000000D30000-0x0000000000D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-121-0x0000000005780000-0x0000000005781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-120-0x0000000005C80000-0x0000000005C81000-memory.dmp
    Filesize

    4KB

    Download