Analysis
-
max time kernel
139s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2023 09:45
Static task
static1
Behavioral task
behavioral1
Sample
URGENT RFQ! RFP82810.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
URGENT RFQ! RFP82810.exe
Resource
win10v2004-20231023-en
General
-
Target
URGENT RFQ! RFP82810.exe
-
Size
329KB
-
MD5
42df97789a51cb7ba473e6f447e83989
-
SHA1
400e3f2bc880dd690e4dcbfd8024995e83347d9d
-
SHA256
73dc704c3a82e161c621cdbd9164c9ee86ccb8b7fa0dcfc8f03ce40335c8604e
-
SHA512
0b3b26bb8d131fc506d9e3be57b1ef7d9c51f46a7dc9529bc4657a90767e09997e5675c91a2e83772ab4602b2c923d840ff5c708a831c24cf38b570eec6c023d
-
SSDEEP
6144:/CKQBMNitGsC/UJiQ2+423iCn3XgIqFsPe35bgaGPEQD:/fQ67sCYiX23PXbqL35bgaGf
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.alsarisi.com - Port:
587 - Username:
[email protected] - Password:
May$2009 - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-9-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 40 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
URGENT RFQ! RFP82810.exedescription pid process target process PID 344 set thread context of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3724 3600 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid process 3600 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3600 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
URGENT RFQ! RFP82810.exedescription pid process target process PID 344 wrote to memory of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe PID 344 wrote to memory of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe PID 344 wrote to memory of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe PID 344 wrote to memory of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe PID 344 wrote to memory of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe PID 344 wrote to memory of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe PID 344 wrote to memory of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe PID 344 wrote to memory of 3600 344 URGENT RFQ! RFP82810.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\URGENT RFQ! RFP82810.exe"C:\Users\Admin\AppData\Local\Temp\URGENT RFQ! RFP82810.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 15323⤵
- Program crash
PID:3724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3600 -ip 36001⤵PID:724