Overview

overview

10

Static

static

1

Balance payment.exe

windows7-x64

10

Balance payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    112s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2023, 06:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Balance payment.exe

  • Size

    283KB

  • MD5

    338b022ed773533c2df2c0d940791682

  • SHA1

    8e08acf19970e369a6755c0b8a0789b5019b191d

  • SHA256

    e7e5b2d142ef7cf284f13c79979200a577e782ab42b1450367fa516a5fe0e74f

  • SHA512

    56614594dc6b2053332e5666c6d7986ee682d79482f9dd3d32bb8f4b691d18b919b2ad77b9b28513fca9bba952f74155788959c30d52b67a828960fb47598099

  • SSDEEP

    6144:vYa6cmProlCbisHQRkvLkFPOplpq1mELmrGmPQ2psy1:vY5eCbTQQL8P8lMmbrVIc1

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5823972698:AAHGWA61QeYpJM1ENmt5PClaUm736yipsbw/sendMessage?chat_id=2126102657

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Balance payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\ubifldxz.exe
      "C:\Users\Admin\AppData\Local\Temp\ubifldxz.exe" C:\Users\Admin\AppData\Local\Temp\dtkehugnw.b
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Users\Admin\AppData\Local\Temp\ubifldxz.exe
        "C:\Users\Admin\AppData\Local\Temp\ubifldxz.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:280

Network

  • flag-us
    DNS
    checkip.dyndns.org
    ubifldxz.exe
    Remote address:
    8.8.8.8:53
    Request
    checkip.dyndns.org
    IN A
    Response
    checkip.dyndns.org
    IN CNAME
    checkip.dyndns.com
    checkip.dyndns.com
    IN A
    132.226.247.73
    checkip.dyndns.com
    IN A
    132.226.8.169
    checkip.dyndns.com
    IN A
    193.122.130.0
    checkip.dyndns.com
    IN A
    193.122.6.168
    checkip.dyndns.com
    IN A
    158.101.44.242
  • flag-br
    GET
    http://checkip.dyndns.org/
    ubifldxz.exe
    Remote address:
    132.226.247.73:80
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
    Host: checkip.dyndns.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 28 Mar 2023 06:14:19 GMT
    Content-Type: text/html
    Content-Length: 104
    Connection: keep-alive
    Cache-Control: no-cache
    Pragma: no-cache
  • 132.226.247.73:80
    http://checkip.dyndns.org/
    http
    ubifldxz.exe
    433 B
     798 B
     6
    6

    HTTP Request

    GET http://checkip.dyndns.org/

    HTTP Response

    200
  • 8.8.8.8:53
    checkip.dyndns.org
    dns
    ubifldxz.exe
    64 B
     176 B
     1
    1

    DNS Request

    checkip.dyndns.org

    DNS Response

    132.226.247.73
    132.226.8.169
    193.122.130.0
    193.122.6.168
    158.101.44.242

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\arkrdxnowuu.pi
    Filesize

    225KB

    MD5

    4c4c2bb8ac32820ea7f764a39930b691

    SHA1

    9d32ccebec4d20f05b5174a8df8e28522a45cac9

    SHA256

    2b4ded7f1c4dc807606fca8fdf6598c28dd1ca1595d814aaa68a72b019dc576f

    SHA512

    4c931c3777015bf0d230e815a0271aae7891942b5f39a5b494226139737cfad1acb5259b93bd81da6f2aae844e7de7ca107043a60bbecadd9d694abde0a7fa19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dtkehugnw.b
    Filesize

    5KB

    MD5

    da52689529fb6d747ebf9416e58e347e

    SHA1

    37bb4e15e2a904806207a9e9b2e68e2e618b8afb

    SHA256

    69649f06f82a110ab970372928dbfa0eebdaad3801bfc4db0770c1f066a7001e

    SHA512

    ac398822050490c33a93c92b93a44eeb7020b96c7cb8b25f7008817a32393987d61b11dd5c24ec6075a117435d9c443ba0394215883d2f0fc6f0f846d20fca0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ubifldxz.exe
    Filesize

    138KB

    MD5

    d5171ff863900d72508088d68910d5f4

    SHA1

    3bdb12110f88d56d47aff74b460323691e99bf4f

    SHA256

    2ea56e830c3deb56564c023822a5e0d1f771983361fb4fe00753ac64501743c8

    SHA512

    6016f09eb32b4e0fc4fa97dbf28be78b829ff8026385146a49f8b6b8817152b9e919fa535fe4ce8b70b09284db8ff1fc05d28b8fc30886335820265ae12492de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ubifldxz.exe
    Filesize

    138KB

    MD5

    d5171ff863900d72508088d68910d5f4

    SHA1

    3bdb12110f88d56d47aff74b460323691e99bf4f

    SHA256

    2ea56e830c3deb56564c023822a5e0d1f771983361fb4fe00753ac64501743c8

    SHA512

    6016f09eb32b4e0fc4fa97dbf28be78b829ff8026385146a49f8b6b8817152b9e919fa535fe4ce8b70b09284db8ff1fc05d28b8fc30886335820265ae12492de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ubifldxz.exe
    Filesize

    138KB

    MD5

    d5171ff863900d72508088d68910d5f4

    SHA1

    3bdb12110f88d56d47aff74b460323691e99bf4f

    SHA256

    2ea56e830c3deb56564c023822a5e0d1f771983361fb4fe00753ac64501743c8

    SHA512

    6016f09eb32b4e0fc4fa97dbf28be78b829ff8026385146a49f8b6b8817152b9e919fa535fe4ce8b70b09284db8ff1fc05d28b8fc30886335820265ae12492de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ubifldxz.exe
    Filesize

    138KB

    MD5

    d5171ff863900d72508088d68910d5f4

    SHA1

    3bdb12110f88d56d47aff74b460323691e99bf4f

    SHA256

    2ea56e830c3deb56564c023822a5e0d1f771983361fb4fe00753ac64501743c8

    SHA512

    6016f09eb32b4e0fc4fa97dbf28be78b829ff8026385146a49f8b6b8817152b9e919fa535fe4ce8b70b09284db8ff1fc05d28b8fc30886335820265ae12492de

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ubifldxz.exe
    Filesize

    138KB

    MD5

    d5171ff863900d72508088d68910d5f4

    SHA1

    3bdb12110f88d56d47aff74b460323691e99bf4f

    SHA256

    2ea56e830c3deb56564c023822a5e0d1f771983361fb4fe00753ac64501743c8

    SHA512

    6016f09eb32b4e0fc4fa97dbf28be78b829ff8026385146a49f8b6b8817152b9e919fa535fe4ce8b70b09284db8ff1fc05d28b8fc30886335820265ae12492de

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ubifldxz.exe
    Filesize

    138KB

    MD5

    d5171ff863900d72508088d68910d5f4

    SHA1

    3bdb12110f88d56d47aff74b460323691e99bf4f

    SHA256

    2ea56e830c3deb56564c023822a5e0d1f771983361fb4fe00753ac64501743c8

    SHA512

    6016f09eb32b4e0fc4fa97dbf28be78b829ff8026385146a49f8b6b8817152b9e919fa535fe4ce8b70b09284db8ff1fc05d28b8fc30886335820265ae12492de

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ubifldxz.exe
    Filesize

    138KB

    MD5

    d5171ff863900d72508088d68910d5f4

    SHA1

    3bdb12110f88d56d47aff74b460323691e99bf4f

    SHA256

    2ea56e830c3deb56564c023822a5e0d1f771983361fb4fe00753ac64501743c8

    SHA512

    6016f09eb32b4e0fc4fa97dbf28be78b829ff8026385146a49f8b6b8817152b9e919fa535fe4ce8b70b09284db8ff1fc05d28b8fc30886335820265ae12492de

    Download Submit

  • memory/280-68-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/280-72-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/280-74-0x00000000003D0000-0x00000000003F6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/280-76-0x00000000046C0000-0x0000000004700000-memory.dmp

    Filesize

    256KB

    Download

  • memory/280-75-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

    Download

  • memory/1924-70-0x00000000002A0000-0x00000000002A2000-memory.dmp

    Filesize

    8KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.