Analysis
-
max time kernel
245s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:42
Static task
static1
Behavioral task
behavioral1
Sample
GeneralAttachment.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
GeneralAttachment.exe
Resource
win10v2004-20230220-en
General
-
Target
GeneralAttachment.exe
-
Size
577KB
-
MD5
f84c0765285cfa761e31bfa7f5f2b878
-
SHA1
5ef22c3d8dc871cb6a7b1c786db00ab558c64a97
-
SHA256
37617e571066d7e620392e8be59f962ae9c20dade410e7291b345bf669b0c59d
-
SHA512
7475d3467ecc6e5ca8597cfc797a9d52de808d9f4ca6e8645ec561336300c0843266cad33db5dd54e01bbbece0fbd7d090ed6b06a7b176c295ff26fc6ee7f827
-
SSDEEP
12288:34awZIJA5PDeLQM7SEUdnX+z3eSvDBKFtI0JrxwS:ygkDT2wnXQ7F0dxd
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
argona.ro - Port:
26 - Username:
[email protected] - Password:
Argona12!@ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
resource yara_rule behavioral1/memory/1524-77-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1524-78-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1524-80-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1524-82-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1524-84-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1524-85-0x0000000000560000-0x00000000005A0000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 6 IoCs
resource yara_rule behavioral1/memory/1524-77-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1524-78-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1524-80-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1524-82-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1524-84-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1524-85-0x0000000000560000-0x00000000005A0000-memory.dmp family_stormkitty -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 268 set thread context of 1524 268 GeneralAttachment.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 792 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 988 powershell.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 268 GeneralAttachment.exe 1524 GeneralAttachment.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 268 GeneralAttachment.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeDebugPrivilege 1524 GeneralAttachment.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 268 wrote to memory of 988 268 GeneralAttachment.exe 28 PID 268 wrote to memory of 988 268 GeneralAttachment.exe 28 PID 268 wrote to memory of 988 268 GeneralAttachment.exe 28 PID 268 wrote to memory of 988 268 GeneralAttachment.exe 28 PID 268 wrote to memory of 792 268 GeneralAttachment.exe 30 PID 268 wrote to memory of 792 268 GeneralAttachment.exe 30 PID 268 wrote to memory of 792 268 GeneralAttachment.exe 30 PID 268 wrote to memory of 792 268 GeneralAttachment.exe 30 PID 268 wrote to memory of 1524 268 GeneralAttachment.exe 32 PID 268 wrote to memory of 1524 268 GeneralAttachment.exe 32 PID 268 wrote to memory of 1524 268 GeneralAttachment.exe 32 PID 268 wrote to memory of 1524 268 GeneralAttachment.exe 32 PID 268 wrote to memory of 1524 268 GeneralAttachment.exe 32 PID 268 wrote to memory of 1524 268 GeneralAttachment.exe 32 PID 268 wrote to memory of 1524 268 GeneralAttachment.exe 32 PID 268 wrote to memory of 1524 268 GeneralAttachment.exe 32 PID 268 wrote to memory of 1524 268 GeneralAttachment.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\GeneralAttachment.exe"C:\Users\Admin\AppData\Local\Temp\GeneralAttachment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cvltQgKHOkpV.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cvltQgKHOkpV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFE0.tmp"2⤵
- Creates scheduled task(s)
PID:792
-
-
C:\Users\Admin\AppData\Local\Temp\GeneralAttachment.exe"C:\Users\Admin\AppData\Local\Temp\GeneralAttachment.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ad941b8069167ace733e10f7615787f2
SHA1025ad39d9ea4770aec5691671556df7e6d08a7fd
SHA2562a179bbac56b71d1cb40d2c87d9e60892b5583d0f9d973cf2f3bf30ec304253b
SHA51280107b93304786ae929178b2806ec8701a42f1da6af5cdc207683fdfb35b809bf65241b0d380d94918f6b4cdc1a3a80df90d3269d9b57f24833edd27604f656f