snakekeylogger | 4223fc55e6b0fc32d0f55607395055db9023a5d6980dccad59f11aadf0179b86

General

Target

RFQ-YEKHA-20-0151.exe
Size

702KB
MD5

20ceb0cdf1f078b28671054c2863052c
SHA1

fc335d40a3fe8aceb4fbfd89c279b9b56a142556
SHA256

4223fc55e6b0fc32d0f55607395055db9023a5d6980dccad59f11aadf0179b86
SHA512

1639777ffadd90248a0735429fb3068a0dc5ad106520416104afaebfb2744950c96ee8918267041c6055a882b022ea15472f545e7333329124d2699e5847ec1a

Score

10^/10

Family

snakekeylogger

Credentials

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ-YEKHA-20-0151.exe

description pid process target process

PID 1104 set thread context of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RFQ-YEKHA-20-0151.exe

pid process

1104 RFQ-YEKHA-20-0151.exe
1104 RFQ-YEKHA-20-0151.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RFQ-YEKHA-20-0151.exe

description pid process

Token: SeDebugPrivilege 1104 RFQ-YEKHA-20-0151.exe

description	pid	process	target process
PID 1104 set thread context of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe

pid	process
1104	RFQ-YEKHA-20-0151.exe
1104	RFQ-YEKHA-20-0151.exe

description	pid	process
Token: SeDebugPrivilege	1104	RFQ-YEKHA-20-0151.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

RFQ-YEKHA-20-0151.exe

description	pid	process	target process
PID 1104 wrote to memory of 1680	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 1680	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 1680	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 1680	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 268	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 268	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 268	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 268	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 1104 wrote to memory of 548	1104	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"
2⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"
2⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"
2⤵
PID:548

memory/548-62-0x00000000004645BE-mapping.dmp

Download
memory/548-61-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1104-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1104-60-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1104-63-0x0000000001F71000-0x0000000001F72000-memory.dmp

Filesize
4KB

Download