Overview

overview

10

Static

static

3

Nhuhqpc.exe

windows7-x64

6

Nhuhqpc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nhuhqpc.exe

  • Size

    171KB

  • MD5

    306561287324dcb749b051225c7ca686

  • SHA1

    715ac0c7eb48a0ff536be8c8e9cf16e3bb62e3cd

  • SHA256

    6caab57198e2e3cc5833f0b578e193c99230595f66ab98eb00f0fdae7d8c2c8a

  • SHA512

    578128194a04788bae0321645f8100a0216e801c1d60251b830add12f63f6feb4f0d562deea5cd64bbe453b744fa49590b514856613b2c3eaae167ea88575f43

  • SSDEEP

    1536:A1vldVVr/ETon7CdEZIPas6A5Adgl6nPUStsJhB9rMVcoXfRlXn:cYon7O/XigW6/wcoZl3

Score
10/10
snakekeyloggercollectionkeyloggerpersistencestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6429805701:AAEngMg5r6ewcqgGwVjFKJpjYF7Sc8nwhxA/sendMessage?chat_id=5262627523

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nhuhqpc.exe
    "C:\Users\Admin\AppData\Local\Temp\Nhuhqpc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1048-11-0x00007FFEAF540000-0x00007FFEB0001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1048-1-0x00007FFEAF540000-0x00007FFEB0001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1048-2-0x000001ACC9E70000-0x000001ACC9E80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1048-3-0x000001ACB14F0000-0x000001ACB1538000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1048-4-0x000001ACCA000000-0x000001ACCA036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1048-5-0x000001ACCA0B0000-0x000001ACCA0FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1048-6-0x00007FFEAF540000-0x00007FFEB0001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1048-7-0x000001ACC9E70000-0x000001ACC9E80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1048-0-0x000001ACAF8C0000-0x000001ACAF8F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3472-9-0x0000000140000000-0x0000000140022000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3472-12-0x00007FFEAF540000-0x00007FFEB0001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3472-13-0x0000026B75BA0000-0x0000026B75BB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3472-14-0x00007FFEAF540000-0x00007FFEB0001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3472-15-0x0000026B75BA0000-0x0000026B75BB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3472-16-0x0000026B77E90000-0x0000026B77EE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3472-17-0x0000026B780B0000-0x0000026B78272000-memory.dmp

    Filesize

    1.8MB

    Download