Overview

overview

10

Static

static

Specificat...LQ.exe

windows7_x64

10

Specificat...LQ.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 11:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Specifications_Details_20337_FLQ.exe

  • Size

    503KB

  • MD5

    432dafd9a9d895a6be98225d93533bc9

  • SHA1

    f8372831247316dad9651f0f7dc8c94adfcc26bd

  • SHA256

    f21588a5a2118f8b06488d6ee22be10c90016e672c40e20ea92572fd955edde3

  • SHA512

    b5f7b6610d0dd89a639815602d94c6ffd8f7a5afd807bfaef6c58589f0a44a126b90b7cb10b893899e6317abf262facc497ed66a015ca4c7f64caa44848120a3

Score
10/10
snakekeyloggerkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    D#$M779Bx*!2^111

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Specifications_Details_20337_FLQ.exe
    "C:\Users\Admin\AppData\Local\Temp\Specifications_Details_20337_FLQ.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Users\Admin\AppData\Local\Temp\Specifications_Details_20337_FLQ.exe
      C:\Users\Admin\AppData\Local\Temp\Specifications_Details_20337_FLQ.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:828

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/640-59-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/640-61-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/640-62-0x00000000041F0000-0x0000000004241000-memory.dmp
    Filesize

    324KB

    Download
  • memory/640-67-0x0000000005000000-0x0000000005081000-memory.dmp
    Filesize

    516KB

    Download
  • memory/828-68-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/828-69-0x000000000041FE5E-mapping.dmp
    Download
  • memory/828-70-0x0000000000400000-0x0000000000424000-memory.dmp
    Filesize

    144KB

    Download
  • memory/828-72-0x0000000002160000-0x0000000002161000-memory.dmp
    Filesize

    4KB

    Download