Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10-07-2024 09:44
Static task
static1
Behavioral task
behavioral1
Sample
DHL_FORM_16022021.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
DHL_FORM_16022021.exe
Resource
win10v2004-20240709-en
General
-
Target
DHL_FORM_16022021.exe
-
Size
957KB
-
MD5
e906fa26bdbd8f4dfd848c86c59b5662
-
SHA1
11633695c7db5dca2ee79d13d66a0d38e0c93e48
-
SHA256
072b5e15bd74b972d408910263e80c07cb6b4f17d3eb6024508b457f7dd84e87
-
SHA512
4e0d0108ad724d119a729994dd2402139c32e5e1e8c4236150f568b7d978bae8a2d4a532bf8fb669dcfe2d26f52719f1f12dcb3922c5a95beab75e16f44f1fb1
-
SSDEEP
12288:/g+7IhD+7v1MLfIhmC1jQp16V2dUkj0Rgh1UYWntHaD9VO84GkKHmhz5Z7:/gPhD+AIhmC18ldVj06SYpxVODF7Z
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot1634002210:AAGipukUEr-bNBgl2R1_hwFgfb9ez_v6wzE/sendMessage?chat_id=1401219117
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL_FORM_16022021.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_FORM_16022021.exedescription pid process target process PID 1740 set thread context of 3748 1740 DHL_FORM_16022021.exe DHL_FORM_16022021.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3128 3748 WerFault.exe DHL_FORM_16022021.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DHL_FORM_16022021.exeDHL_FORM_16022021.exepid process 1740 DHL_FORM_16022021.exe 3748 DHL_FORM_16022021.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL_FORM_16022021.exeDHL_FORM_16022021.exedescription pid process Token: SeDebugPrivilege 1740 DHL_FORM_16022021.exe Token: SeDebugPrivilege 3748 DHL_FORM_16022021.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
DHL_FORM_16022021.exedescription pid process target process PID 1740 wrote to memory of 3748 1740 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 1740 wrote to memory of 3748 1740 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 1740 wrote to memory of 3748 1740 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 1740 wrote to memory of 3748 1740 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 1740 wrote to memory of 3748 1740 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 1740 wrote to memory of 3748 1740 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 1740 wrote to memory of 3748 1740 DHL_FORM_16022021.exe DHL_FORM_16022021.exe PID 1740 wrote to memory of 3748 1740 DHL_FORM_16022021.exe DHL_FORM_16022021.exe -
outlook_office_path 1 IoCs
Processes:
DHL_FORM_16022021.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe -
outlook_win_path 1 IoCs
Processes:
DHL_FORM_16022021.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL_FORM_16022021.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"C:\Users\Admin\AppData\Local\Temp\DHL_FORM_16022021.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 15323⤵
- Program crash
PID:3128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3748 -ip 37481⤵PID:324