Analysis
-
max time kernel
104s -
max time network
48s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-06-2021 07:31
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-YEKHA-20-0151.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ-YEKHA-20-0151.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
RFQ-YEKHA-20-0151.exe
-
Size
702KB
-
MD5
20ceb0cdf1f078b28671054c2863052c
-
SHA1
fc335d40a3fe8aceb4fbfd89c279b9b56a142556
-
SHA256
4223fc55e6b0fc32d0f55607395055db9023a5d6980dccad59f11aadf0179b86
-
SHA512
1639777ffadd90248a0735429fb3068a0dc5ad106520416104afaebfb2744950c96ee8918267041c6055a882b022ea15472f545e7333329124d2699e5847ec1a
Score
10/10
Malware Config
Extracted
Family
snakekeylogger
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
newoffice@myexodus1.com - Password:
gefqPU#Az8
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ-YEKHA-20-0151.exedescription pid process target process PID 1104 set thread context of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RFQ-YEKHA-20-0151.exepid process 1104 RFQ-YEKHA-20-0151.exe 1104 RFQ-YEKHA-20-0151.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RFQ-YEKHA-20-0151.exedescription pid process Token: SeDebugPrivilege 1104 RFQ-YEKHA-20-0151.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
RFQ-YEKHA-20-0151.exedescription pid process target process PID 1104 wrote to memory of 1680 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 1680 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 1680 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 1680 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 268 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 268 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 268 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 268 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 1104 wrote to memory of 548 1104 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-62-0x00000000004645BE-mapping.dmp
-
memory/548-61-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1104-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1104-60-0x0000000001F70000-0x0000000001F71000-memory.dmpFilesize
4KB
-
memory/1104-63-0x0000000001F71000-0x0000000001F72000-memory.dmpFilesize
4KB