Analysis
-
max time kernel
66s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
07/11/2022, 14:57
General
-
Target
66617b2819a0e0789e60a888ccd71ec1.exe
-
Size
810KB
-
MD5
66617b2819a0e0789e60a888ccd71ec1
-
SHA1
1c06be549688dbcca343c3d0aa3e12477e8d2f3d
-
SHA256
8e4ee0ec7d1ac518e6f583d03c62b7d89978f2a0df7f5d1e50e709fe7a91a512
-
SHA512
aaa0b8210597dff7d68b62de97a7fd4b843a2012b0624b60044f92d0706abab9751f9f3cbfed901c52afa566e349a1609ab9fe7e3dbe5994dc8bbaeabdaab27a
-
SSDEEP
12288:84xQiE2iNxAesgJDfKSCGyTG+c/VyYZxHKQS36CYUl27toeMPVRS:/E1nNti5ah/ZZxHXCYUlaHMtY
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
cp5ua.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\66617b2819a0e0789e60a888ccd71ec1.exe"C:\Users\Admin\AppData\Local\Temp\66617b2819a0e0789e60a888ccd71ec1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\66617b2819a0e0789e60a888ccd71ec1.exe"C:\Users\Admin\AppData\Local\Temp\66617b2819a0e0789e60a888ccd71ec1.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
8KB
-
Filesize
840KB
-
Filesize
280KB
-
Filesize
504KB
-
Filesize
48KB
-
Filesize
72KB