Analysis
-
max time kernel
90s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06/11/2022, 05:39
General
-
Target
tmp.exe
-
Size
433KB
-
MD5
eaa1a25d87c5bdb3cce603c082723c69
-
SHA1
15ea3a5f59be3cd8d44da25a54a3b337324bd13b
-
SHA256
099bfbf0d439038049c7a80e415515db5fda73eaa11efb5886e24ac1caacecdc
-
SHA512
75d7b299143e0092bee38d14fc7d1debdf46242ed74d97453e0ef40dd3536bc578db8145bfc6c302944278f8526b48de1210341f270ffa4216c47db00dda8a30
-
SSDEEP
12288:Ug0wouHH1J+0i0Tqc0RyyWRUQ1GOi0nYTDD5EV1h0:UTu1Fz1RT1kTDlq1
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
cp5ua.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
8KB
-
Filesize
456KB
-
Filesize
160KB
-
Filesize
384KB
-
Filesize
48KB
-
Filesize
80KB