Analysis
-
max time kernel
122s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
28-06-2024 06:13
General
-
Target
Cargo details.exe
-
Size
521KB
-
MD5
eaee1038c3ee0e44b7d5075ebc4546e2
-
SHA1
0bf2a8cf2726cad12d1c6ac4fc3fa1b7e4fc4e97
-
SHA256
08fbaa45a5b76b737f0163f59330fb7945a97b2ee0e90133ecbbb2c133d3b5e6
-
SHA512
0041109e649b1cb9e4ac8944578246c723aeae899f79ec8ea49566b54fce8609a06863e3299986144c3df7857f6ea4cd85840dce2422db9d7248702da2ec196a
-
SSDEEP
12288:c5kndm6oduitZWCxbLzRyCQYVNcSpUbubuF4a0eR9:Hng6oQiSCJM/Y3Ptg4heR9
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
valleycountysar.org - Port:
26 - Username:
[email protected] - Password:
fY,FLoadtsiF
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 5 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cargo details.exe"C:\Users\Admin\AppData\Local\Temp\Cargo details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Cargo details.exe"C:\Users\Admin\AppData\Local\Temp\Cargo details.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2196-0-0x000000007488E000-0x000000007488F000-memory.dmpFilesize
4KB
-
memory/2196-1-0x00000000012D0000-0x0000000001358000-memory.dmpFilesize
544KB
-
memory/2196-2-0x0000000000B70000-0x0000000000BC4000-memory.dmpFilesize
336KB
-
memory/2196-3-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2196-4-0x0000000000520000-0x0000000000528000-memory.dmpFilesize
32KB
-
memory/2196-22-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2252-18-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-19-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2252-15-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-10-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-7-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-20-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2252-21-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2252-5-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2252-23-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB
-
memory/2252-24-0x0000000074880000-0x0000000074F6E000-memory.dmpFilesize
6.9MB