General

  • Target

    STOWAGE PLAN.rar

  • Size

    2KB

  • Sample

    230131-jxe9gshc41

  • MD5

    5d6f0a15f41a268461003036aa5f4066

  • SHA1

    a8ec07099c0c3a1d3f0f3cc31f839cb3c121a7a3

  • SHA256

    86ad4fe5295b34f09988a3baffb53aff6f7e48b5daeaed222108df83367397f0

  • SHA512

    59902981f61c043a89efd6fab8c7b79baa24200f0ba095dc35bbf028c6d5f2ee4ab6e505dda5fe51aab769a063a8d2cd7d35ec1bd4abe5fd2f2a3df67ec9b19e

Malware Config

Extracted

Family

purecrypter

C2

http://185.225.74.107/Otetnraanrc.dll

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1897716112:AAEAtOCkOV8umHBB93Og24bkiIdUKReGK44/sendMessage?chat_id=1745211648

Targets

    • Target

      STOWAGE PLAN.exe

    • Size

      6KB

    • MD5

      6fb742af8a97217112849204efa9fef1

    • SHA1

      52ab383906f57052e4c075d54b638153e92ad089

    • SHA256

      2f7bd380536e16506e680cc1ad9dfd613a4bd05d365f542ecbdb1bd16562f11d

    • SHA512

      5d8e93352baa4311c331d674bfe8ab8a761a093c32ae97260e3f7e55663b49f75829f4ca0d9029e17439919133f8ca01fee56b680a1fd80f1d3b29ba2ef9c958

    • SSDEEP

      96:x4Z26fp8osOth7fsXKOyc8RB29PrHQtGkjpmBzNt:8bWoBDUXKOyLKKr9mD

    • Detect PureCrypter injector

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Tasks