Overview

overview

10

Static

static

3

KFQH Blank...at.exe

windows7-x64

10

KFQH Blank...at.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2023 16:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KFQH Blank Booking Form.bat.exe

  • Size

    1.1MB

  • MD5

    0efb9fa85f31cf712388fcc55484bb96

  • SHA1

    e7f209e7b91a6429c0d2ee24a869751d201f4e65

  • SHA256

    e54a0d1fb979d19bf7cbf681df38b284bb5b1b9a5848e220bda941e0417bc7fc

  • SHA512

    d34890aa9267c0d57bc46e33107e8626f6bb08e48966b7b742e402e597716025691dfc15c5cbdece980b29c974b89440cb9af13792214fc744cb7585550cb96a

  • SSDEEP

    24576:UZfxjLZisWPsuLkB/YAuseX7KvO1YAuJMi+sPV3GykDfMNVzCOgKIQtKoColK5da:0xjIPsMpAuserKvpAuJMi+sPV3GykDf0

Score
10/10
snakekeyloggerkeyloggerstealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6708141821:AAEG0Dpkj7hEuj6EHpRMMDr5JQOvFGtpnRQ/sendMessage?chat_id=5986156290

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KFQH Blank Booking Form.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\KFQH Blank Booking Form.bat.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      2⤵
        PID:1944
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 604
        2⤵
        • Loads dropped DLL
        • Program crash
        PID:2184

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\KFQH Blank Booking Form.bat.exe
      Filesize

      1.1MB

      MD5

      0efb9fa85f31cf712388fcc55484bb96

      SHA1

      e7f209e7b91a6429c0d2ee24a869751d201f4e65

      SHA256

      e54a0d1fb979d19bf7cbf681df38b284bb5b1b9a5848e220bda941e0417bc7fc

      SHA512

      d34890aa9267c0d57bc46e33107e8626f6bb08e48966b7b742e402e597716025691dfc15c5cbdece980b29c974b89440cb9af13792214fc744cb7585550cb96a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\KFQH Blank Booking Form.bat.exe
      Filesize

      1.1MB

      MD5

      0efb9fa85f31cf712388fcc55484bb96

      SHA1

      e7f209e7b91a6429c0d2ee24a869751d201f4e65

      SHA256

      e54a0d1fb979d19bf7cbf681df38b284bb5b1b9a5848e220bda941e0417bc7fc

      SHA512

      d34890aa9267c0d57bc46e33107e8626f6bb08e48966b7b742e402e597716025691dfc15c5cbdece980b29c974b89440cb9af13792214fc744cb7585550cb96a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\KFQH Blank Booking Form.bat.exe
      Filesize

      1.1MB

      MD5

      0efb9fa85f31cf712388fcc55484bb96

      SHA1

      e7f209e7b91a6429c0d2ee24a869751d201f4e65

      SHA256

      e54a0d1fb979d19bf7cbf681df38b284bb5b1b9a5848e220bda941e0417bc7fc

      SHA512

      d34890aa9267c0d57bc46e33107e8626f6bb08e48966b7b742e402e597716025691dfc15c5cbdece980b29c974b89440cb9af13792214fc744cb7585550cb96a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\KFQH Blank Booking Form.bat.exe
      Filesize

      1.1MB

      MD5

      0efb9fa85f31cf712388fcc55484bb96

      SHA1

      e7f209e7b91a6429c0d2ee24a869751d201f4e65

      SHA256

      e54a0d1fb979d19bf7cbf681df38b284bb5b1b9a5848e220bda941e0417bc7fc

      SHA512

      d34890aa9267c0d57bc46e33107e8626f6bb08e48966b7b742e402e597716025691dfc15c5cbdece980b29c974b89440cb9af13792214fc744cb7585550cb96a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\KFQH Blank Booking Form.bat.exe
      Filesize

      1.1MB

      MD5

      0efb9fa85f31cf712388fcc55484bb96

      SHA1

      e7f209e7b91a6429c0d2ee24a869751d201f4e65

      SHA256

      e54a0d1fb979d19bf7cbf681df38b284bb5b1b9a5848e220bda941e0417bc7fc

      SHA512

      d34890aa9267c0d57bc46e33107e8626f6bb08e48966b7b742e402e597716025691dfc15c5cbdece980b29c974b89440cb9af13792214fc744cb7585550cb96a

      Download Submit

    • memory/1768-4-0x00000000005E0000-0x00000000005EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1768-0-0x0000000000C90000-0x0000000000DA4000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1768-3-0x0000000004880000-0x00000000048C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1768-2-0x00000000006C0000-0x0000000000714000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1768-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1768-18-0x0000000074C10000-0x00000000752FE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1768-19-0x0000000004880000-0x00000000048C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1944-7-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1944-9-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1944-11-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1944-5-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download