Overview

overview

10

Static

static

bank_payment form.exe

windows7_x64

10

bank_payment form.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    43s
  • max time network
    112s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bank_payment form.exe

  • Size

    229KB

  • MD5

    773aeb8b7d2c978f5e6827e3156a5115

  • SHA1

    5cf948bc30bca89a8b32ed38c5c723cca13fa196

  • SHA256

    32e3f433b732245bcd8a27d204a770fc82d70010f3cb1549dc91f04d24849941

  • SHA512

    5b76cc3802f7809bbb389048358bb0374273406492445c75abe301342ba9b7833f613073e7c5eda4e1d249b947822d6ffdba10735685ff0825055cd2b4a8b376

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger Payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bank_payment form.exe
    "C:\Users\Admin\AppData\Local\Temp\bank_payment form.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe
      C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe C:\Users\Admin\AppData\Local\Temp\mpytqzqsx
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe
        C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe C:\Users\Admin\AppData\Local\Temp\mpytqzqsx
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1348

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\esliolzc8ysrwtt598tt
    Filesize

    196KB

    MD5

    089ec04b50fabcb804eed3fc2ee95b18

    SHA1

    4fae7c5feb9236f405858524b8461be9f06dfc19

    SHA256

    0d786f56d3bb1d76f4b7a658616674e763e687b7baccfd128e79c0fad60a580a

    SHA512

    2b96c679d98b788fb5706a4c2ec6eaec6c44df732084fd109f7d769c7e0b5d255e9e14eb3786486dd90564754242b2c7b23a159625e1b42241998fe95c0489e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mpytqzqsx
    Filesize

    5KB

    MD5

    fb0b69c4cf6c3743b47fa9fc35503c47

    SHA1

    5cffdd773544595fdf2951666b5bc66da924426a

    SHA256

    6f9ecba97920ddbc0e8a149271a96f4b178fb67b46e848c24ed7032e067b429f

    SHA512

    457e01dfc0894a83f0bd50c965191a61ce8b22680c4ba7715ef78c46401fcb3c9bcc6aa3c160f2abce24838d03d2539b95a7f390abaf735bab1b197431e62f5f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe
    Filesize

    4KB

    MD5

    95ddcdc98ec9c024242038a7732c8f0d

    SHA1

    97a769287ab24fcdf87a53b33d4cd08281833325

    SHA256

    f2d2e945bbaa6578255b7d6bd4192327d9b280cb0a45fb6bc38f0c68f67436ec

    SHA512

    2c8732319934fb7009cc861b61fd9900744c9bb783cc60bb4e5aadb5220e03ee1c4bb39f8e36869d5efc9e89850466b6e7188d41c5f8e8dfe8b6244e29e03037

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe
    Filesize

    4KB

    MD5

    95ddcdc98ec9c024242038a7732c8f0d

    SHA1

    97a769287ab24fcdf87a53b33d4cd08281833325

    SHA256

    f2d2e945bbaa6578255b7d6bd4192327d9b280cb0a45fb6bc38f0c68f67436ec

    SHA512

    2c8732319934fb7009cc861b61fd9900744c9bb783cc60bb4e5aadb5220e03ee1c4bb39f8e36869d5efc9e89850466b6e7188d41c5f8e8dfe8b6244e29e03037

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xgfelmj.exe
    Filesize

    4KB

    MD5

    95ddcdc98ec9c024242038a7732c8f0d

    SHA1

    97a769287ab24fcdf87a53b33d4cd08281833325

    SHA256

    f2d2e945bbaa6578255b7d6bd4192327d9b280cb0a45fb6bc38f0c68f67436ec

    SHA512

    2c8732319934fb7009cc861b61fd9900744c9bb783cc60bb4e5aadb5220e03ee1c4bb39f8e36869d5efc9e89850466b6e7188d41c5f8e8dfe8b6244e29e03037

    Download Submit
  • \Users\Admin\AppData\Local\Temp\xgfelmj.exe
    Filesize

    4KB

    MD5

    95ddcdc98ec9c024242038a7732c8f0d

    SHA1

    97a769287ab24fcdf87a53b33d4cd08281833325

    SHA256

    f2d2e945bbaa6578255b7d6bd4192327d9b280cb0a45fb6bc38f0c68f67436ec

    SHA512

    2c8732319934fb7009cc861b61fd9900744c9bb783cc60bb4e5aadb5220e03ee1c4bb39f8e36869d5efc9e89850466b6e7188d41c5f8e8dfe8b6244e29e03037

    Download Submit
  • \Users\Admin\AppData\Local\Temp\xgfelmj.exe
    Filesize

    4KB

    MD5

    95ddcdc98ec9c024242038a7732c8f0d

    SHA1

    97a769287ab24fcdf87a53b33d4cd08281833325

    SHA256

    f2d2e945bbaa6578255b7d6bd4192327d9b280cb0a45fb6bc38f0c68f67436ec

    SHA512

    2c8732319934fb7009cc861b61fd9900744c9bb783cc60bb4e5aadb5220e03ee1c4bb39f8e36869d5efc9e89850466b6e7188d41c5f8e8dfe8b6244e29e03037

    Download Submit
  • \Users\Admin\AppData\Local\Temp\xgfelmj.exe
    Filesize

    4KB

    MD5

    95ddcdc98ec9c024242038a7732c8f0d

    SHA1

    97a769287ab24fcdf87a53b33d4cd08281833325

    SHA256

    f2d2e945bbaa6578255b7d6bd4192327d9b280cb0a45fb6bc38f0c68f67436ec

    SHA512

    2c8732319934fb7009cc861b61fd9900744c9bb783cc60bb4e5aadb5220e03ee1c4bb39f8e36869d5efc9e89850466b6e7188d41c5f8e8dfe8b6244e29e03037

    Download Submit
  • memory/1348-64-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1348-65-0x0000000000401896-mapping.dmp
    Download
  • memory/1348-69-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1348-70-0x0000000000390000-0x00000000003B6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/1348-71-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1364-54-0x00000000765F1000-0x00000000765F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2012-57-0x0000000000000000-mapping.dmp
    Download