Overview

overview

10

Static

static

3

Ekstre.exe

windows7-x64

10

Ekstre.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10/05/2023, 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ekstre.exe

  • Size

    1.3MB

  • MD5

    076d5430af1ffea960bd52cfc641e99b

  • SHA1

    aba1bf8a90fabe96565ecec2022d24e34626a921

  • SHA256

    ee0fac5b1ab0a1e4c8efadea7919f8f1105d0928ca3a7c359a65af0246e06cf1

  • SHA512

    50966bf59360c3a6a52716e3bb63a5d91bad4bd208241431ed15107ba94f40b4a6790042e0839ec8d63a3c521242032ad374b7511b5aa194eff5b063226d38bd

  • SSDEEP

    24576:lTbBv5rUFcD6vbKBdqT4oDKvMrBW4eNTygt90e+hoyaxlI:PBH6vbKBUT4/vMr8jygt+0I

Score
10/10
snakekeyloggercollectionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5932548741:AAFytn5z9IUn93hcbUn3eb19fE08x1AWGz0/sendMessage?chat_id=5034680713

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ekstre.exe
    "C:\Users\Admin\AppData\Local\Temp\Ekstre.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" Update-vq.h.vbe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\uipd\ukuvts.pif
        "C:\uipd\ukuvts.pif" mtdg.docx
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\uipd\Update-vq.h.vbe
    Filesize

    68KB

    MD5

    f2188baab2aee3bba03d2bbb54cd26a6

    SHA1

    6464287935716184e60a2e12f3cbd86b349500e3

    SHA256

    20db80e434a6f9d78ef8a3ec2014342d8c236f1d79c06cc09d847010bda6a17e

    SHA512

    206e8384ee4f69cd3d8b8f267b4238da33287866572eba2191bdf552830206eeebc39ad269f34823c44bf238a32f01883d19f42af6096208098a869fbd361053

    Download Submit

  • C:\uipd\mtdg.docx
    Filesize

    101.1MB

    MD5

    6bb33ebf17de8bcff95d725450653cbf

    SHA1

    1a963327740ad4671f8f7e44588d44bb1d6e17e9

    SHA256

    f1cc13f23c5098d60fae62958227f598d5d060ac8fa27b2decf2745c852f4a21

    SHA512

    74a3d846a39af4ea8fc450c5597867ad45a19716d0877d1b1ddcba34ce68ef58e124debd409e633272b1d171bb2671e97da00a005068f99995e206ee9a97405d

    Download Submit

  • C:\uipd\oqwhhb.exe
    Filesize

    40KB

    MD5

    38633e2c314da564960d6b049003a664

    SHA1

    ad77a1f49cee834d026a21a30e99fc07ebc4fde3

    SHA256

    d92d2740e1559b9b708077fb888fc7f516e0ea0252b8a5b928ec431d96f89a68

    SHA512

    94f3bcf97e7bb50495aee2d491e1b21f6453e3bc5520bf2bdba9ff4d9246c21990c867937fc897a4ae84fb636259c7032d177ee01914e1c249f46c4354e6ae00

    Download Submit

  • C:\uipd\sqpgdk.npc
    Filesize

    217KB

    MD5

    090746eddc51c3e519a07916b62a2b4b

    SHA1

    66bd63fca76dc200d522dbefd19cad2c403cede4

    SHA256

    252293c2696cd64b9ea054971192c62097d12e1a639ad6d988267e0648c706a0

    SHA512

    065ae7912a13f7a312c33783e5f1e3a78084fdaa49460e78a280d8925389f2fdf65dcac84072c545f033d5a98ab0ffa7ff15c88c5b203f72f668a137a288d73f

    Download Submit

  • C:\uipd\ukuvts.pif
    Filesize

    1.6MB

    MD5

    a533f7dd1fee72bcc5dfd2d17f91bd00

    SHA1

    a735119723b8f1ffe39942dc0537d2b9714e0ca6

    SHA256

    8d7ff6354a950ed066d2513fbf059918b399bfb8232be5be90768746cb2a3684

    SHA512

    4d7ad0cba961d11eb3604bd116b8fb08e3de5500cbeccb08aa60e9cc4720371fa50dd20ac2ebe6d05635f31f2b58d855b2afa05c1786461ea23c9cb9985ffd3f

    Download Submit

  • C:\uipd\ukuvts.pif
    Filesize

    1.6MB

    MD5

    a533f7dd1fee72bcc5dfd2d17f91bd00

    SHA1

    a735119723b8f1ffe39942dc0537d2b9714e0ca6

    SHA256

    8d7ff6354a950ed066d2513fbf059918b399bfb8232be5be90768746cb2a3684

    SHA512

    4d7ad0cba961d11eb3604bd116b8fb08e3de5500cbeccb08aa60e9cc4720371fa50dd20ac2ebe6d05635f31f2b58d855b2afa05c1786461ea23c9cb9985ffd3f

    Download Submit

  • \uipd\ukuvts.pif
    Filesize

    1.6MB

    MD5

    a533f7dd1fee72bcc5dfd2d17f91bd00

    SHA1

    a735119723b8f1ffe39942dc0537d2b9714e0ca6

    SHA256

    8d7ff6354a950ed066d2513fbf059918b399bfb8232be5be90768746cb2a3684

    SHA512

    4d7ad0cba961d11eb3604bd116b8fb08e3de5500cbeccb08aa60e9cc4720371fa50dd20ac2ebe6d05635f31f2b58d855b2afa05c1786461ea23c9cb9985ffd3f

    Download Submit

  • memory/1632-123-0x0000000000390000-0x0000000000AC4000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1632-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1632-125-0x0000000000390000-0x0000000000AC4000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1632-127-0x0000000000390000-0x0000000000AC4000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1632-129-0x0000000000390000-0x0000000000AC4000-memory.dmp

    Filesize

    7.2MB

    Download

  • memory/1632-130-0x0000000000390000-0x00000000003B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1632-131-0x0000000004BE0000-0x0000000004C20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1632-132-0x0000000004BE0000-0x0000000004C20000-memory.dmp

    Filesize

    256KB

    Download