Overview

overview

10

Static

static

1

eeb19ccec8...95.exe

windows7-x64

8

eeb19ccec8...95.exe

windows10-2004-x64

10

Citicorp.ps1

windows7-x64

3

Citicorp.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eeb19ccec86a82f4ebbe4512ebadca5089bc192478a356a99824a89b1f122995.exe

  • Size

    762KB

  • MD5

    4398a15085a3837ef2ef6a7b056643c6

  • SHA1

    d15e71d5e8e9b750d429c7602d98e7203c24543b

  • SHA256

    eeb19ccec86a82f4ebbe4512ebadca5089bc192478a356a99824a89b1f122995

  • SHA512

    34b5b0b7299c325a525675c8a0cc9e4cd6ce724866530bba7933c783c87d73f477297e8d865af6836926e5cf579292f4ce385f2c2c8ce89f916199d048a8dafe

  • SSDEEP

    12288:8PG/hGy3E/kipG6IhwYz0BWIbyuwQL3OWntl81tTTZ/Oi5DwFyEionDud:QGhbYpGjhwYzO5yRQLvf81BV2m6ionDE

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Blocklisted process makes network request 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eeb19ccec86a82f4ebbe4512ebadca5089bc192478a356a99824a89b1f122995.exe
    "C:\Users\Admin\AppData\Local\Temp\eeb19ccec86a82f4ebbe4512ebadca5089bc192478a356a99824a89b1f122995.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Notifiers73=Get-Content -raw 'C:\Users\Admin\AppData\Local\Temp\Stragglier\Citicorp.Amf';$Superscribing=$Notifiers73.SubString(53509,3);.$Superscribing($Notifiers73)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Stragglier\Citicorp.Amf
    Filesize

    52KB

    MD5

    50a86de35927f45ce009f37494068b0d

    SHA1

    880c888d5e156d7080395c964614872fe42ac89d

    SHA256

    ff7d67d9d4613f0716febf78a0e813953862c77bb5f084eebf881ac02809984b

    SHA512

    230f60733ee595111e91b0bb9c99a5a4c72b5ebfb1b77ff544b5aadeff5179fccfcd473fa8caa290798d6558f753663d21f966a6db9b2193d15e81adef6159d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Stragglier\Gudsbevis.Can
    Filesize

    303KB

    MD5

    9a6846335f888bd98b7a3439944f4861

    SHA1

    6a560953e0c1a73e0c7ad8b70787337fc77c44c9

    SHA256

    25d465d3c7065ed206fc060a68aafb67ca1c7458ab59aa027c4d5b3882ddd0e8

    SHA512

    9da8b9c39564b62250fb3db160ec4605deb7d384813953f3ecf63586f065704528e54d47d09fe7e962650112188e3b4fb7d5cf33f620d3ec84510bc94fef15ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dubsmqpu.ibx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/440-42-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-69-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-19-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-26-0x0000000005A10000-0x0000000005A76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/440-16-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-20-0x00000000059A0000-0x0000000005A06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/440-31-0x0000000005A80000-0x0000000005DD4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/440-32-0x0000000006080000-0x000000000609E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/440-33-0x00000000060D0000-0x000000000611C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/440-36-0x00000000065F0000-0x0000000006612000-memory.dmp

    Filesize

    136KB

    Download

  • memory/440-35-0x00000000065A0000-0x00000000065BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/440-37-0x00000000078E0000-0x0000000007E84000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/440-34-0x0000000007050000-0x00000000070E6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/440-17-0x00000000051C0000-0x00000000057E8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/440-39-0x0000000008510000-0x0000000008B8A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/440-43-0x0000000070350000-0x00000000706A4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/440-40-0x00000000074D0000-0x0000000007502000-memory.dmp

    Filesize

    200KB

    Download

  • memory/440-54-0x0000000007510000-0x000000000752E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/440-41-0x00000000701E0000-0x000000007022C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/440-56-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-55-0x0000000007540000-0x00000000075E3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/440-14-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/440-59-0x00000000077F0000-0x0000000007814000-memory.dmp

    Filesize

    144KB

    Download

  • memory/440-58-0x00000000077C0000-0x00000000077EA000-memory.dmp

    Filesize

    168KB

    Download

  • memory/440-44-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-57-0x0000000007640000-0x000000000764A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/440-60-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-62-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-15-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/440-64-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-66-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/440-65-0x0000000008B90000-0x0000000009F01000-memory.dmp

    Filesize

    19.4MB

    Download

  • memory/440-67-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-68-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-18-0x00000000050C0000-0x00000000050E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/440-70-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/440-71-0x0000000073D60000-0x0000000074510000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/940-72-0x0000000001EA0000-0x0000000003211000-memory.dmp

    Filesize

    19.4MB

    Download

  • memory/940-86-0x0000000000C40000-0x0000000000C66000-memory.dmp

    Filesize

    152KB

    Download

  • memory/940-85-0x0000000000C40000-0x0000000001E94000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/940-87-0x00000000211B0000-0x000000002124C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/940-89-0x0000000001EA0000-0x0000000003211000-memory.dmp

    Filesize

    19.4MB

    Download

  • memory/940-90-0x0000000021C70000-0x0000000021CC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/940-91-0x0000000021E90000-0x0000000022052000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/940-92-0x0000000021D60000-0x0000000021DF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/940-93-0x0000000021680000-0x000000002168A000-memory.dmp

    Filesize

    40KB

    Download