Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 09:44
Static task
static1
Behavioral task
behavioral1
Sample
DHL_FORM_16022021.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
DHL_FORM_16022021.exe
Resource
win10v2004-20240709-en
General
-
Target
DHL_FORM_16022021.exe
-
Size
957KB
-
MD5
e906fa26bdbd8f4dfd848c86c59b5662
-
SHA1
11633695c7db5dca2ee79d13d66a0d38e0c93e48
-
SHA256
072b5e15bd74b972d408910263e80c07cb6b4f17d3eb6024508b457f7dd84e87
-
SHA512
4e0d0108ad724d119a729994dd2402139c32e5e1e8c4236150f568b7d978bae8a2d4a532bf8fb669dcfe2d26f52719f1f12dcb3922c5a95beab75e16f44f1fb1
-
SSDEEP
12288:/g+7IhD+7v1MLfIhmC1jQp16V2dUkj0Rgh1UYWntHaD9VO84GkKHmhz5Z7:/gPhD+AIhmC18ldVj06SYpxVODF7Z
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1634002210:AAGipukUEr-bNBgl2R1_hwFgfb9ez_v6wzE/sendMessage?chat_id=1401219117
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL_FORM_16022021.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 8 freegeoip.app 9 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_FORM_16022021.exedescription pid process target process PID 2080 set thread context of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2924 2928 WerFault.exe DHL_FORM_16022021.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
DHL_FORM_16022021.exeDHL_FORM_16022021.exepid process 2080 DHL_FORM_16022021.exe 2080 DHL_FORM_16022021.exe 2928 DHL_FORM_16022021.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL_FORM_16022021.exeDHL_FORM_16022021.exedescription pid process Token: SeDebugPrivilege 2080 DHL_FORM_16022021.exe Token: SeDebugPrivilege 2928 DHL_FORM_16022021.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
DHL_FORM_16022021.exeDHL_FORM_16022021.exedescription pid process target process PID 2080 wrote to memory of 2788 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2788 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2788 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2788 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2080 wrote to memory of 2928 2080 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 2928 wrote to memory of 2924 2928 DHL_FORM_16022021.exe WerFault.exe PID 2928 wrote to memory of 2924 2928 DHL_FORM_16022021.exe WerFault.exe PID 2928 wrote to memory of 2924 2928 DHL_FORM_16022021.exe WerFault.exe PID 2928 wrote to memory of 2924 2928 DHL_FORM_16022021.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
DHL_FORM_16022021.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe -
outlook_win_path 1 IoCs
Processes:
DHL_FORM_16022021.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"2⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 11043⤵
- Program crash
PID:2924