Analysis
-
max time kernel
108s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-06-2021 15:06
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-YEKHA-20-0151.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ-YEKHA-20-0151.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
RFQ-YEKHA-20-0151.exe
-
Size
702KB
-
MD5
20ceb0cdf1f078b28671054c2863052c
-
SHA1
fc335d40a3fe8aceb4fbfd89c279b9b56a142556
-
SHA256
4223fc55e6b0fc32d0f55607395055db9023a5d6980dccad59f11aadf0179b86
-
SHA512
1639777ffadd90248a0735429fb3068a0dc5ad106520416104afaebfb2744950c96ee8918267041c6055a882b022ea15472f545e7333329124d2699e5847ec1a
Score
10/10
Malware Config
Extracted
Family
snakekeylogger
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
newoffice@myexodus1.com - Password:
gefqPU#Az8
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ-YEKHA-20-0151.exedescription pid process target process PID 540 set thread context of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
RFQ-YEKHA-20-0151.exedescription pid process target process PID 540 wrote to memory of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 540 wrote to memory of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 540 wrote to memory of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 540 wrote to memory of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 540 wrote to memory of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 540 wrote to memory of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 540 wrote to memory of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 540 wrote to memory of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 540 wrote to memory of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/540-60-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/540-61-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/540-64-0x00000000004A1000-0x00000000004A2000-memory.dmpFilesize
4KB
-
memory/1252-62-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/1252-63-0x00000000004645BE-mapping.dmp