Analysis
-
max time kernel
21s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 16:55
Static task
static1
Behavioral task
behavioral1
Sample
REMITTANCE SWIFT.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
REMITTANCE SWIFT.exe
Resource
win10v2004-20231127-en
General
-
Target
REMITTANCE SWIFT.exe
-
Size
613KB
-
MD5
f31bad5c33706d19bb437286c611c96f
-
SHA1
b1c62e91f2d3a639bc457594184d01ed70fbe70b
-
SHA256
3198d00651176dccb2f68869fd1fb7882daa1073006b963b2dc254f4e28fddf2
-
SHA512
5af7aa0e49031c4e12935555e8cae35611382b583ff1596215bdebf78946fe5fa36c93a322aa12275c359ef30cd50a7dedee526b0d5a1f0f1bbeed957898b617
-
SSDEEP
12288:UG5nF8ME6jD/cddS/YNsSGxc1wYGDYkPX19oFppwsW:UGPtD/SdS/YNsbxcfzkPXwHF
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.alualuminium.com.my - Port:
587 - Username:
[email protected] - Password:
U8G4S13#8Zk$ - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2568-24-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2568-34-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2568-32-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2568-30-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2568-26-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger behavioral1/memory/2720-47-0x0000000002CF0000-0x0000000002D30000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1888 2568 WerFault.exe REMITTANCE SWIFT.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
REMITTANCE SWIFT.exepid process 1720 REMITTANCE SWIFT.exe 1720 REMITTANCE SWIFT.exe 1720 REMITTANCE SWIFT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
REMITTANCE SWIFT.exedescription pid process Token: SeDebugPrivilege 1720 REMITTANCE SWIFT.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
REMITTANCE SWIFT.exedescription pid process target process PID 1720 wrote to memory of 2720 1720 REMITTANCE SWIFT.exe powershell.exe PID 1720 wrote to memory of 2720 1720 REMITTANCE SWIFT.exe powershell.exe PID 1720 wrote to memory of 2720 1720 REMITTANCE SWIFT.exe powershell.exe PID 1720 wrote to memory of 2720 1720 REMITTANCE SWIFT.exe powershell.exe PID 1720 wrote to memory of 2908 1720 REMITTANCE SWIFT.exe powershell.exe PID 1720 wrote to memory of 2908 1720 REMITTANCE SWIFT.exe powershell.exe PID 1720 wrote to memory of 2908 1720 REMITTANCE SWIFT.exe powershell.exe PID 1720 wrote to memory of 2908 1720 REMITTANCE SWIFT.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe"2⤵PID:2720
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GgPjILmv.exe"2⤵PID:2908
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GgPjILmv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5BB7.tmp"2⤵
- Creates scheduled task(s)
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\REMITTANCE SWIFT.exe"2⤵PID:2568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 9723⤵
- Program crash
PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD582ecaaa83667cdff5ba57105ae52e257
SHA1c951190422f0088384b2be00f4cb01a45453ca13
SHA256d27ef74aa35ec4cca645e295300489a413a9165cf9f192a3108eea9892f5609d
SHA5129a2f6b12f90cbfb1501164b5c788c15f5db4e25833036e1516612d4d60aab3d35691ef8395e84f5cabcf055c0aa1040a500dd19223c1d39a1c10c83384dc8200
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LHVYRIPM6RXLRA7HMSL0.temp
Filesize7KB
MD545fe4efbf6e784210b5765b71cdfda1a
SHA16be33a987249bf8e842c92b16867095b723b22a7
SHA256f51d53b15f3f84c397b946df406bd55c95a3e7a22c71393208ce345d37dbcf5c
SHA512c4a3648f040f6e950249588097a74cbc97a13165adc6516523b73114372c026a357f3f8f708ce8cf9ecd35875bb6794aca00c08086776c53704ea44edc3421fe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD545fe4efbf6e784210b5765b71cdfda1a
SHA16be33a987249bf8e842c92b16867095b723b22a7
SHA256f51d53b15f3f84c397b946df406bd55c95a3e7a22c71393208ce345d37dbcf5c
SHA512c4a3648f040f6e950249588097a74cbc97a13165adc6516523b73114372c026a357f3f8f708ce8cf9ecd35875bb6794aca00c08086776c53704ea44edc3421fe