Analysis
-
max time kernel
54s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
16-02-2023 07:26
General
-
Target
Fatura_SUN2023000003827.exe
-
Size
448KB
-
MD5
04cc0750fc2e0ff6e81b4530e940f512
-
SHA1
82127102bb8725405d9416293fb2496c7c9d8b3e
-
SHA256
554fcafce29b66cc2dd33cff1e49f7d2c45f4e154c1f08bcb15d5aae3ad4ec1c
-
SHA512
b14cc7f0dbbc91ca295d80b471ea438854394189bafae9e4a8356674b0fa7cfe0254c0db7dd3181b95227b75d0be1cd63e54c8e4169d13b63379165622a7e07b
-
SSDEEP
6144:SYa6H/tW0PDPehrAG+7OELO94O7CQDmwv8bi/:SYd/ttLP0ri7OwO9zC4tUa
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fatura_SUN2023000003827.exe"C:\Users\Admin\AppData\Local\Temp\Fatura_SUN2023000003827.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe" C:\Users\Admin\AppData\Local\Temp\zweecankhi.aur2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"C:\Users\Admin\AppData\Local\Temp\oeysiffsag.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD5216590d8e7476d6fe755390ab420f9c1
SHA1166a1d87e8c0edad92125eaa044bc2f3bb354447
SHA256674be3f8b419d8bcc1af68d7cd82e649eccd0889a663b1d362ae622f21fd50ee
SHA512cddf38fac64b98cf873046cb2210d6773e25b568803c42f5ad35e926a697b494d556dfd151ae052e23dddf80efe1f5fffb0f44a50af377ddcf18ef1de2ab50be
-
Filesize
127KB
MD5ccccc8741100aaf54c4e0ae3940b65bc
SHA11a92fa518ae6600bcb5934eda15f8522958e73f1
SHA25601d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951
SHA5127ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0
-
Filesize
127KB
MD5ccccc8741100aaf54c4e0ae3940b65bc
SHA11a92fa518ae6600bcb5934eda15f8522958e73f1
SHA25601d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951
SHA5127ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0
-
Filesize
127KB
MD5ccccc8741100aaf54c4e0ae3940b65bc
SHA11a92fa518ae6600bcb5934eda15f8522958e73f1
SHA25601d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951
SHA5127ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0
-
Filesize
127KB
MD5ccccc8741100aaf54c4e0ae3940b65bc
SHA11a92fa518ae6600bcb5934eda15f8522958e73f1
SHA25601d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951
SHA5127ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0
-
Filesize
127KB
MD5ccccc8741100aaf54c4e0ae3940b65bc
SHA11a92fa518ae6600bcb5934eda15f8522958e73f1
SHA25601d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951
SHA5127ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0
-
Filesize
127KB
MD5ccccc8741100aaf54c4e0ae3940b65bc
SHA11a92fa518ae6600bcb5934eda15f8522958e73f1
SHA25601d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951
SHA5127ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0
-
Filesize
127KB
MD5ccccc8741100aaf54c4e0ae3940b65bc
SHA11a92fa518ae6600bcb5934eda15f8522958e73f1
SHA25601d659257e1a2a88f1fa4561d691ed7faf07ca0208f5030122aa3cce58c61951
SHA5127ddf1f6e058378131074ee4b83b5182c1a1e9ca9166f4d0b6d7ba48282e1e936276884e0919c7881fa000b7e81ab028ba022f9cf111bd7ffcf0103ef1208edb0
-
Filesize
7KB
MD50e71a4312067821413f56ab62591630b
SHA17024b58142984c1e4f4dabd95f9c0fd5514c0db0
SHA256ada8fd09206e747ba3f12d117d9a352043dd7abcafb4d47c71e1ce5ab6b98d4d
SHA5128e6ff9104ec46bcda8034183269eb22d95aebb17578fa9f1e794327790b995185f0fb7114475081d9a576e094ae0249c431afe537e222ba6f9aca3f795df3a28
-
-
Filesize
5.6MB
-
-
Filesize
624KB
-
Filesize
220KB
-
Filesize
1.8MB
-
Filesize
584KB
-
Filesize
40KB
-
-
-
-