Analysis
-
max time kernel
36s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 20:53
Static task
static1
Behavioral task
behavioral1
Sample
ORDERSCHEDULING.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ORDERSCHEDULING.exe
Resource
win10v2004-20230220-en
General
-
Target
ORDERSCHEDULING.exe
-
Size
670KB
-
MD5
8905e52e205f687eb511b330e1b5c762
-
SHA1
44edd39613def9e8384b30b13fe1511bf3c2280b
-
SHA256
26309e8127d86579dd6ae130c52298039f110548d77182833c261f0b0f43a340
-
SHA512
449b022be5d3fc5121f6f62de458950abc508240f51c1bbec1aeaa5fe82197ad6ee29d0ab3634306508f3d5d3992f9101078c774ce261c2ffa31ab5cfa5ee7f5
-
SSDEEP
12288:uZo/arWBv6pOw5w+XBlwCu0eDQ+o5v6nnjqKoe:LarWN6pOgdXBlwCzIop6nnjqKoe
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.prestige.co.rs - Port:
587 - Username:
[email protected] - Password:
4FIHB3RQQJR8
https://api.telegram.org/bot5723707890:AAH2xRvI7tQmHUTxHRRudv8WoyAoxdIIcOI/sendMessage?chat_id=1760125104
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 7 IoCs
resource yara_rule behavioral1/memory/1808-59-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1808-60-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1808-62-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1808-64-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1808-66-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/1808-67-0x0000000004430000-0x0000000004470000-memory.dmp family_snakekeylogger behavioral1/memory/1808-68-0x0000000004430000-0x0000000004470000-memory.dmp family_snakekeylogger -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 6 IoCs
resource yara_rule behavioral1/memory/1808-59-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1808-60-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1808-62-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1808-64-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1808-66-0x0000000000400000-0x0000000000426000-memory.dmp family_stormkitty behavioral1/memory/1808-67-0x0000000004430000-0x0000000004470000-memory.dmp family_stormkitty -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1460 set thread context of 1808 1460 ORDERSCHEDULING.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1808 ORDERSCHEDULING.exe 1808 ORDERSCHEDULING.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1808 ORDERSCHEDULING.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1460 wrote to memory of 1808 1460 ORDERSCHEDULING.exe 28 PID 1460 wrote to memory of 1808 1460 ORDERSCHEDULING.exe 28 PID 1460 wrote to memory of 1808 1460 ORDERSCHEDULING.exe 28 PID 1460 wrote to memory of 1808 1460 ORDERSCHEDULING.exe 28 PID 1460 wrote to memory of 1808 1460 ORDERSCHEDULING.exe 28 PID 1460 wrote to memory of 1808 1460 ORDERSCHEDULING.exe 28 PID 1460 wrote to memory of 1808 1460 ORDERSCHEDULING.exe 28 PID 1460 wrote to memory of 1808 1460 ORDERSCHEDULING.exe 28 PID 1460 wrote to memory of 1808 1460 ORDERSCHEDULING.exe 28 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORDERSCHEDULING.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDERSCHEDULING.exe"C:\Users\Admin\AppData\Local\Temp\ORDERSCHEDULING.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\ORDERSCHEDULING.exe"C:\Users\Admin\AppData\Local\Temp\ORDERSCHEDULING.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1808
-