Analysis
-
max time kernel
71s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-09-2022 22:23
General
-
Target
payment copy.exe
-
Size
890KB
-
MD5
f2930c042eb6ec47af52acde3f5a3b52
-
SHA1
7fe71449b27a4284adaf63f473b8152cfc7bbc99
-
SHA256
70e6066712386cd030bb8a6b9ef4f6972d4da1035f547cbdbf93a71a79e2a951
-
SHA512
3a212c5a340e440953857be8bc4f5f6382624cfa5c1dced942ba9bb11206eaa0cef204336ce03dd0002b4566f37bb559c9dab6f23f1934c967a2c173290a06cf
-
SSDEEP
12288:vuZL7Y/mYagzSg+nesdJwNlp1tRUwtx+/lKn5JQH:vuZfimifNlPtyjlIy
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot5329940603:AAEm7pamtb0Y3gJkFH2RisynqkQ5_GX9q5A/sendMessage?chat_id=5535403842
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment copy.exe"C:\Users\Admin\AppData\Local\Temp\payment copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment copy.exe"C:\Users\Admin\AppData\Local\Temp\payment copy.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment copy.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
memory/4216-132-0x00000000003E0000-0x00000000004C4000-memory.dmpFilesize
912KB
-
memory/4216-133-0x0000000005380000-0x0000000005924000-memory.dmpFilesize
5.6MB
-
memory/4216-134-0x0000000004D20000-0x0000000004DB2000-memory.dmpFilesize
584KB
-
memory/4216-135-0x0000000004EF0000-0x0000000004EFA000-memory.dmpFilesize
40KB
-
memory/4216-136-0x0000000008C20000-0x0000000008CBC000-memory.dmpFilesize
624KB
-
memory/4216-137-0x0000000008CC0000-0x0000000008D26000-memory.dmpFilesize
408KB
-
memory/4444-138-0x0000000000000000-mapping.dmp
-
memory/4444-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/4444-141-0x0000000006350000-0x0000000006512000-memory.dmpFilesize
1.8MB