Analysis
-
max time kernel
112s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-06-2021 15:06
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-YEKHA-20-0151.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
RFQ-YEKHA-20-0151.exe
Resource
win10v20210408
General
-
Target
RFQ-YEKHA-20-0151.exe
-
Size
702KB
-
MD5
20ceb0cdf1f078b28671054c2863052c
-
SHA1
fc335d40a3fe8aceb4fbfd89c279b9b56a142556
-
SHA256
4223fc55e6b0fc32d0f55607395055db9023a5d6980dccad59f11aadf0179b86
-
SHA512
1639777ffadd90248a0735429fb3068a0dc5ad106520416104afaebfb2744950c96ee8918267041c6055a882b022ea15472f545e7333329124d2699e5847ec1a
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
newoffice@myexodus1.com - Password:
gefqPU#Az8
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ-YEKHA-20-0151.exedescription pid process target process PID 604 set thread context of 212 604 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dw20.exepid process 2340 dw20.exe 2340 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 2340 dw20.exe Token: SeBackupPrivilege 2340 dw20.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RFQ-YEKHA-20-0151.exeRFQ-YEKHA-20-0151.exedescription pid process target process PID 604 wrote to memory of 212 604 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 604 wrote to memory of 212 604 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 604 wrote to memory of 212 604 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 604 wrote to memory of 212 604 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 604 wrote to memory of 212 604 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 604 wrote to memory of 212 604 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 604 wrote to memory of 212 604 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 604 wrote to memory of 212 604 RFQ-YEKHA-20-0151.exe RFQ-YEKHA-20-0151.exe PID 212 wrote to memory of 2340 212 RFQ-YEKHA-20-0151.exe dw20.exe PID 212 wrote to memory of 2340 212 RFQ-YEKHA-20-0151.exe dw20.exe PID 212 wrote to memory of 2340 212 RFQ-YEKHA-20-0151.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-YEKHA-20-0151.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6883⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RFQ-YEKHA-20-0151.exe.logMD5
5e7bb97636a484b5a87e60373614279a
SHA136bfdec32eedb141a4a106d89a453326f62593ee
SHA25612ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20
SHA512448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56
-
memory/212-116-0x00000000004645BE-mapping.dmp
-
memory/212-115-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/212-119-0x0000000001560000-0x0000000001561000-memory.dmpFilesize
4KB
-
memory/604-114-0x00000000029F0000-0x00000000029F1000-memory.dmpFilesize
4KB
-
memory/2340-118-0x0000000000000000-mapping.dmp