Analysis
-
max time kernel
60s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 07:22
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_FOR_PO.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ_FOR_PO.exe
Resource
win10v20201028
General
-
Target
RFQ_FOR_PO.exe
-
Size
1.7MB
-
MD5
3696d772035228acb5692f4ff6ad9fd7
-
SHA1
2a2a4e13d861dcf3b31b089ae9b99281dd3d6ef7
-
SHA256
745b655e27656f2b312cfbb28cbe718ea494c503cd96fa63ee65a9a3caa8f939
-
SHA512
802ba65ea3223aa68d17f86023e669a00884fec71f8631b3ed925a2a82967d8cb13b9dfefc13237af50949a22a0c9a0adb4980499aeb4d4418fe2b7454f43101
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3044-15-0x0000000000400000-0x0000000000466000-memory.dmp family_snakekeylogger behavioral2/memory/3044-16-0x0000000000461EEE-mapping.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 checkip.dyndns.org 18 freegeoip.app 19 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ_FOR_PO.exedescription pid process target process PID 812 set thread context of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RFQ_FOR_PO.exepid process 3044 RFQ_FOR_PO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RFQ_FOR_PO.exedescription pid process Token: SeDebugPrivilege 3044 RFQ_FOR_PO.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RFQ_FOR_PO.exedescription pid process target process PID 812 wrote to memory of 1976 812 RFQ_FOR_PO.exe schtasks.exe PID 812 wrote to memory of 1976 812 RFQ_FOR_PO.exe schtasks.exe PID 812 wrote to memory of 1976 812 RFQ_FOR_PO.exe schtasks.exe PID 812 wrote to memory of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe PID 812 wrote to memory of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe PID 812 wrote to memory of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe PID 812 wrote to memory of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe PID 812 wrote to memory of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe PID 812 wrote to memory of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe PID 812 wrote to memory of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe PID 812 wrote to memory of 3044 812 RFQ_FOR_PO.exe RFQ_FOR_PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ_FOR_PO.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_FOR_PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EIIphOzWsDnVnb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D89.tmp"2⤵
- Creates scheduled task(s)
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\RFQ_FOR_PO.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_FOR_PO.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_FOR_PO.exe.logMD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9
-
C:\Users\Admin\AppData\Local\Temp\tmp2D89.tmpMD5
b9953cfcf8c1c3bb750d230b663b51cc
SHA149e4a1f2dac99bf56e94c7133dbee5935669ba9e
SHA2564f2e1b86c0012aad3e96880dcecd4cda0acfbab5332b01bce648f11f4a038b7f
SHA51272ea6ebac0c04e6adf3af17e880e7400664591051a069241d17e505685d44a846c0f1263634123b626dbedd6aa7f68fa2a55c6d2654e991fc563b1b04bf07c81
-
memory/812-11-0x0000000007270000-0x0000000007293000-memory.dmpFilesize
140KB
-
memory/812-12-0x0000000007FF0000-0x0000000008089000-memory.dmpFilesize
612KB
-
memory/812-7-0x0000000007350000-0x0000000007351000-memory.dmpFilesize
4KB
-
memory/812-8-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/812-9-0x0000000007230000-0x0000000007231000-memory.dmpFilesize
4KB
-
memory/812-10-0x00000000074B0000-0x00000000074B1000-memory.dmpFilesize
4KB
-
memory/812-2-0x0000000074070000-0x000000007475E000-memory.dmpFilesize
6.9MB
-
memory/812-6-0x0000000007850000-0x0000000007851000-memory.dmpFilesize
4KB
-
memory/812-3-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/812-5-0x00000000072B0000-0x00000000072B1000-memory.dmpFilesize
4KB
-
memory/1976-13-0x0000000000000000-mapping.dmp
-
memory/3044-15-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/3044-16-0x0000000000461EEE-mapping.dmp
-
memory/3044-18-0x0000000074070000-0x000000007475E000-memory.dmpFilesize
6.9MB
-
memory/3044-23-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/3044-24-0x0000000006CE0000-0x0000000006CE1000-memory.dmpFilesize
4KB