Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
10-11-2023 17:13
Static task
static1
Behavioral task
behavioral1
Sample
Remittance Advice.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Remittance Advice.exe
Resource
win10v2004-20231025-en
General
-
Target
Remittance Advice.exe
-
Size
351KB
-
MD5
d110b0f2602558c3d8b88de7cfe037f5
-
SHA1
5f793d032ab11aca6877ab37df9b4f9c2d681afa
-
SHA256
6577f5c5150e1dc818be87c2483db10b3af00effc2faf5c1acd174a8db760001
-
SHA512
ae5a8b3686d68df8bd5bf1ab1c27626d251e119392b0a3b2c40b36b38d2077c3147c4f2e47e9899fe8be9b178d0bd18cda080de06fe007af0245d651f6e2abd9
-
SSDEEP
6144:N79QdWMg8s6TiYedIEyqS5gSDA8X0w68/lE1nwXvOQNBrrIya/EZD7dU:XsY6Ti7dIEVSOS83b2WQNBvko7m
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.yandex.com - Port:
587 - Username:
[email protected] - Password:
chijiokejackson121
https://api.telegram.org/bot5206100572:AAFn3MxBuN0bjQhfY8y1ed9Iwi79LyIe75I/sendMessage?chat_id=2135869667
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1728-13-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1728-16-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1728-18-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral1/memory/1728-21-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Remittance Advice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Remittance Advice.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Remittance Advice.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Remittance Advice.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Remittance Advice.exedescription pid process target process PID 2320 set thread context of 1728 2320 Remittance Advice.exe Remittance Advice.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Remittance Advice.exePowershell.exepid process 1728 Remittance Advice.exe 1708 Powershell.exe 1728 Remittance Advice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Remittance Advice.exePowershell.exedescription pid process Token: SeDebugPrivilege 1728 Remittance Advice.exe Token: SeDebugPrivilege 1708 Powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Remittance Advice.exedescription pid process target process PID 2320 wrote to memory of 1708 2320 Remittance Advice.exe Powershell.exe PID 2320 wrote to memory of 1708 2320 Remittance Advice.exe Powershell.exe PID 2320 wrote to memory of 1708 2320 Remittance Advice.exe Powershell.exe PID 2320 wrote to memory of 1708 2320 Remittance Advice.exe Powershell.exe PID 2320 wrote to memory of 1728 2320 Remittance Advice.exe Remittance Advice.exe PID 2320 wrote to memory of 1728 2320 Remittance Advice.exe Remittance Advice.exe PID 2320 wrote to memory of 1728 2320 Remittance Advice.exe Remittance Advice.exe PID 2320 wrote to memory of 1728 2320 Remittance Advice.exe Remittance Advice.exe PID 2320 wrote to memory of 1728 2320 Remittance Advice.exe Remittance Advice.exe PID 2320 wrote to memory of 1728 2320 Remittance Advice.exe Remittance Advice.exe PID 2320 wrote to memory of 1728 2320 Remittance Advice.exe Remittance Advice.exe PID 2320 wrote to memory of 1728 2320 Remittance Advice.exe Remittance Advice.exe PID 2320 wrote to memory of 1728 2320 Remittance Advice.exe Remittance Advice.exe -
outlook_office_path 1 IoCs
Processes:
Remittance Advice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Remittance Advice.exe -
outlook_win_path 1 IoCs
Processes:
Remittance Advice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Remittance Advice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Remittance Advice.exe"C:\Users\Admin\AppData\Local\Temp\Remittance Advice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Remittance Advice.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\Remittance Advice.exe"C:\Users\Admin\AppData\Local\Temp\Remittance Advice.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1728