snakekeylogger | 143b430b2cf5363e24a62b531370f5b765ee78138f9e7fd98266724da353d29f | Triage

Analysis

max time kernel
108s
max time network
13s
platform
windows7_x64
resource
win7v20210410
submitted
21-06-2021 15:06

Sharing

Report Analysis Logs

General

Target

RFQ-YEKHA-20-0151.exe
Size

702KB
MD5

20ceb0cdf1f078b28671054c2863052c
SHA1

fc335d40a3fe8aceb4fbfd89c279b9b56a142556
SHA256

4223fc55e6b0fc32d0f55607395055db9023a5d6980dccad59f11aadf0179b86
SHA512

1639777ffadd90248a0735429fb3068a0dc5ad106520416104afaebfb2744950c96ee8918267041c6055a882b022ea15472f545e7333329124d2699e5847ec1a

Score

10^/10

snakekeylogger keylogger stealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
newoffice@myexodus1.com
Password:
gefqPU#Az8

Signatures

Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ-YEKHA-20-0151.exe

description pid process target process

PID 540 set thread context of 1252 540 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

RFQ-YEKHA-20-0151.exe

description	pid	process	target process
PID 540 wrote to memory of 1252	540	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 540 wrote to memory of 1252	540	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 540 wrote to memory of 1252	540	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 540 wrote to memory of 1252	540	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 540 wrote to memory of 1252	540	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 540 wrote to memory of 1252	540	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 540 wrote to memory of 1252	540	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 540 wrote to memory of 1252	540	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe
PID 540 wrote to memory of 1252	540	RFQ-YEKHA-20-0151.exe	RFQ-YEKHA-20-0151.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"
2⤵
PID:1252

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/540-60-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/540-61-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/540-64-0x00000000004A1000-0x00000000004A2000-memory.dmp

Filesize
4KB

Download
memory/1252-62-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1252-63-0x00000000004645BE-mapping.dmp

Download