Analysis
-
max time kernel
130s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2024, 13:54
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-20240129.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
RFQ-20240129.exe
Resource
win10v2004-20231222-en
General
-
Target
RFQ-20240129.exe
-
Size
906KB
-
MD5
6d4443427f8685adac6eeb1448248f93
-
SHA1
fa5bc1820f062cba30d413e67f61531abb96aa3d
-
SHA256
706c041ad5d324064ea8bdcfb68f81e0fac4b6452d0629a30ce75d84592b1bd3
-
SHA512
961b774b33bb9a6f003d1bcd8db80b5d0209ceaacfb1bfeec61719aedc988505d3ce535d9cc03ed7a6c6222a54de644b942e6567fde12196c9c3fb205d08f527
-
SSDEEP
12288:JVfAoIFFHgeg/cSdBsV1In4qW6xzsU66kE3fldhU6MeS:JVfAXFxSu1In4F6xLHlfr263
Malware Config
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
resource yara_rule behavioral2/memory/4844-12-0x0000000000400000-0x0000000000426000-memory.dmp family_snakekeylogger -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ-20240129.exe Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ-20240129.exe Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ-20240129.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2616 set thread context of 4844 2616 RFQ-20240129.exe 97 -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2616 RFQ-20240129.exe 2616 RFQ-20240129.exe 2616 RFQ-20240129.exe 2616 RFQ-20240129.exe 2616 RFQ-20240129.exe 2616 RFQ-20240129.exe 2616 RFQ-20240129.exe 2616 RFQ-20240129.exe 4844 RFQ-20240129.exe 4844 RFQ-20240129.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2616 RFQ-20240129.exe Token: SeDebugPrivilege 4844 RFQ-20240129.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2616 wrote to memory of 508 2616 RFQ-20240129.exe 96 PID 2616 wrote to memory of 508 2616 RFQ-20240129.exe 96 PID 2616 wrote to memory of 508 2616 RFQ-20240129.exe 96 PID 2616 wrote to memory of 4844 2616 RFQ-20240129.exe 97 PID 2616 wrote to memory of 4844 2616 RFQ-20240129.exe 97 PID 2616 wrote to memory of 4844 2616 RFQ-20240129.exe 97 PID 2616 wrote to memory of 4844 2616 RFQ-20240129.exe 97 PID 2616 wrote to memory of 4844 2616 RFQ-20240129.exe 97 PID 2616 wrote to memory of 4844 2616 RFQ-20240129.exe 97 PID 2616 wrote to memory of 4844 2616 RFQ-20240129.exe 97 PID 2616 wrote to memory of 4844 2616 RFQ-20240129.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ-20240129.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ-20240129.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"2⤵PID:508
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4844
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3