Overview

overview

10

Static

static

1

Bukti-Transfer.vbe

windows7-x64

10

Bukti-Transfer.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bukti-Transfer.vbe

  • Size

    9KB

  • MD5

    3a62dc625d7dd22fd4c2aba6e7058dd4

  • SHA1

    2b264827a034a913128d9fb362a3b789005ba4f0

  • SHA256

    895e3a8a58ca8d0b65bdb92d181ea4ebd53b479872e75c7455e892b58149cb38

  • SHA512

    0872c46046e565a8d0866e95a57a7dd1d9a86e3f17eba48901ffc2d913c598c2b44b4d285c508ade8446ba64de44b00d9baa74a72b59cda506ea58f711145b7f

  • SSDEEP

    192:FbmzV2nbm3m6G53Vm6z22m6THZKmQmjFm6TH8Mjm8bDmDj02IbmHKmvFnbmVFxVx:ZFbUIyKLK0LBrqPG

Score
10/10
snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    evqqlnwkcmogylje

Extracted

Family

snakekeylogger

Credentials

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Snakekeylogger family
    snakekeylogger
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Bukti-Transfer.vbe"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GAXYEO.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Users\Admin\AppData\Local\Temp\UYc.exe
        "C:\Users\Admin\AppData\Local\Temp\UYc.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\GAXYEO.js
    Filesize

    2.3MB

    MD5

    d66c8c34543b9c55c6a3b5f65399e54d

    SHA1

    76f8063ce1dea46a096e6151edf9713374e84eb6

    SHA256

    c69f5db538d67904adc6d53c663253c9534c8c8e2398264da0b794e3f6971c91

    SHA512

    34b8dfebaebcc6f46d175e89869152129bcead07da9f91ee3c14824c2ef8a0399810e7bd18be6c63a192584672a13d4f1e7cacc8ec41c3e514ae7b59afa260b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UYc.exe
    Filesize

    127KB

    MD5

    1059945eca2d1f4c6353dd139c384b94

    SHA1

    56c115c71e1c545415cdbbeb1acace1bb19860ff

    SHA256

    9751d1f8ca5488e5a17426d2d92af5daf7761deec3b7c9ccab0769d9cd25e49c

    SHA512

    a4794448080ea34b3bd0ff48bd5f4db3dbf4db60a99d29ae98c3f73e438e164ddd5acc22cbbfdd987880da3c80f58a5ac1ee1ac1e66c996296406b757cee2e67

    Download Submit

  • memory/2148-16-0x00000000000A0000-0x00000000000C6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2148-17-0x00000000050A0000-0x0000000005644000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2148-18-0x0000000004AF0000-0x0000000004B8C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2148-19-0x0000000006020000-0x00000000061E2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2148-20-0x0000000006290000-0x0000000006322000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2148-21-0x0000000006650000-0x000000000665A000-memory.dmp

    Filesize

    40KB

    Download