Overview

overview

10

Static

static

1

Bank Slip 2.rtf

windows7-x64

10

Bank Slip 2.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    120s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank Slip 2.rtf

  • Size

    415KB

  • MD5

    ff06a87dd0550386be1f780d560f1877

  • SHA1

    69e95738ec635520a508f7424a759261e5032cb0

  • SHA256

    511c82313461b74fe24201d13dead6a280311d248062e09a465eb950502d1c18

  • SHA512

    60e39f9628edbcb5118d53a2887c8f4879260d1d480a6a25960d58366fef2ca248b7115b521ff7de57c61063c1c35da0ac318fc22ad472b38b0cf34ecfd2534c

  • SSDEEP

    6144:PGuqGuqGuqGuqGuqGuqGuqGuqGuqGuqGuVhG+qMh9c:xe

Score
10/10
snakekeyloggercollectionexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    mail.artefes.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ArtEfes4765*+

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 5 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Bank Slip 2.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2768
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Users\Admin\AppData\Roaming\obie8920193.exe
        "C:\Users\Admin\AppData\Roaming\obie8920193.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obie8920193.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1600
        • C:\Users\Admin\AppData\Roaming\obie8920193.exe
          "C:\Users\Admin\AppData\Roaming\obie8920193.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2328

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      d7f315c6ee8a353228a4daa1a7cd2cf3

      SHA1

      4538ca436143f4fbd646b1d0728d6c478e756a73

      SHA256

      e28067fcf6e3ac3a41e51465be0acfe8e26af8de1e1df5813388f0dc579b3872

      SHA512

      1a025c763659cf003ca099029187fb2d9f9154d296cb4c95d2b01554d0816c716375ea3d0416d71ab14bcc89d40c71b0d494fe55c6c21774d7dc57529d1e008e

      Download Submit
    • \Users\Admin\AppData\Roaming\obie8920193.exe
      Filesize

      541KB

      MD5

      dbdacf479a9dd40133701e06e6dc401c

      SHA1

      5e78767cf2498d34fc27674ff326f2a7ce5ab2a3

      SHA256

      a597f53ed7d5e4cc1af67800969953f431c7c99467d75a42e3db360d7302283c

      SHA512

      f46d0fce9ad0e9c4a9142e53d02aa903dc082872068dea6597c8d22e6154f25976a309815a8efd721b5451ceb3646976d69e664db261becd18f250b8fdaa89a6

      Download Submit
    • memory/1248-0-0x000000002F111000-0x000000002F112000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1248-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1248-2-0x00000000715DD000-0x00000000715E8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1248-78-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1248-57-0x00000000715DD000-0x00000000715E8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2328-51-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2328-42-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2328-46-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2328-54-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2328-53-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2328-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2328-48-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2328-44-0x0000000000400000-0x0000000000426000-memory.dmp
      Filesize

      152KB

      Download
    • memory/2584-41-0x0000000004240000-0x00000000042A8000-memory.dmp
      Filesize

      416KB

      Download
    • memory/2584-40-0x00000000004D0000-0x00000000004DC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2584-38-0x0000000000360000-0x0000000000370000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2584-33-0x0000000000AE0000-0x0000000000B68000-memory.dmp
      Filesize

      544KB

      Download