Analysis
-
max time kernel
110s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-12-2021 10:50
Static task
static1
Behavioral task
behavioral1
Sample
BANK SLIP.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
BANK SLIP.exe
Resource
win10-en-20211014
General
-
Target
BANK SLIP.exe
-
Size
968KB
-
MD5
b8a51c2e7894dc9740df407ac48ebac1
-
SHA1
d56d487d95d030ee2a2de2537ff96085087c32cd
-
SHA256
2b4173dd7ab1163a08c7d6a9ad25dd3bef1cd2d7f9277807ee04ede858d5964c
-
SHA512
40036c10165c94df6cf243c383bb7943ffa8dfed38c1a8d912be81c80b7364f1cf6b3bbaf32429b136d2c457ea4527f6811c28126009c392e36ab93e7270ee1f
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.agc.com.sa - Port:
587 - Username:
vijayakumar.singh@agc.com.sa - Password:
admin@admin$$
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
BANK SLIP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK SLIP.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK SLIP.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK SLIP.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 checkip.dyndns.org 24 freegeoip.app 25 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BANK SLIP.exedescription pid process target process PID 3520 set thread context of 2888 3520 BANK SLIP.exe BANK SLIP.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
BANK SLIP.exepid process 2888 BANK SLIP.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BANK SLIP.exedescription pid process Token: SeDebugPrivilege 2888 BANK SLIP.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
BANK SLIP.exedescription pid process target process PID 3520 wrote to memory of 2888 3520 BANK SLIP.exe BANK SLIP.exe PID 3520 wrote to memory of 2888 3520 BANK SLIP.exe BANK SLIP.exe PID 3520 wrote to memory of 2888 3520 BANK SLIP.exe BANK SLIP.exe PID 3520 wrote to memory of 2888 3520 BANK SLIP.exe BANK SLIP.exe PID 3520 wrote to memory of 2888 3520 BANK SLIP.exe BANK SLIP.exe PID 3520 wrote to memory of 2888 3520 BANK SLIP.exe BANK SLIP.exe PID 3520 wrote to memory of 2888 3520 BANK SLIP.exe BANK SLIP.exe PID 3520 wrote to memory of 2888 3520 BANK SLIP.exe BANK SLIP.exe -
outlook_office_path 1 IoCs
Processes:
BANK SLIP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK SLIP.exe -
outlook_win_path 1 IoCs
Processes:
BANK SLIP.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 BANK SLIP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BANK SLIP.exe"C:\Users\Admin\AppData\Local\Temp\BANK SLIP.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BANK SLIP.exe"C:\Users\Admin\AppData\Local\Temp\BANK SLIP.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2888-125-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2888-132-0x0000000006370000-0x0000000006371000-memory.dmpFilesize
4KB
-
memory/2888-131-0x00000000050E0000-0x00000000055DE000-memory.dmpFilesize
5.0MB
-
memory/2888-126-0x00000000004203FE-mapping.dmp
-
memory/3520-119-0x0000000005220000-0x000000000571E000-memory.dmpFilesize
5.0MB
-
memory/3520-121-0x0000000005450000-0x0000000005455000-memory.dmpFilesize
20KB
-
memory/3520-122-0x0000000005D20000-0x0000000005D21000-memory.dmpFilesize
4KB
-
memory/3520-123-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/3520-124-0x0000000006130000-0x000000000623A000-memory.dmpFilesize
1.0MB
-
memory/3520-120-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/3520-115-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/3520-118-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/3520-117-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB