Analysis Overview
SHA256
706c041ad5d324064ea8bdcfb68f81e0fac4b6452d0629a30ce75d84592b1bd3
Threat Level: Known bad
The file RFQ-20240129.exe was found to be: Known bad.
Malicious Activity Summary
Snake Keylogger payload
Snake Keylogger
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-29 13:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-29 13:54
Reported
2024-01-29 13:56
Platform
win7-20231215-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"
Network
Files
memory/1488-1-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/1488-0-0x0000000000280000-0x0000000000368000-memory.dmp
memory/1488-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp
memory/1488-3-0x0000000000440000-0x000000000045C000-memory.dmp
memory/1488-4-0x0000000000470000-0x0000000000484000-memory.dmp
memory/1488-5-0x0000000005310000-0x0000000005378000-memory.dmp
memory/1488-6-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/1488-7-0x0000000004D70000-0x0000000004DB0000-memory.dmp
memory/1488-8-0x00000000749D0000-0x00000000750BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-29 13:54
Reported
2024-01-29 13:56
Platform
win10v2004-20231222-en
Max time kernel
130s
Max time network
131s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2616 set thread context of 4844 | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"
C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-20240129.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 188.114.97.2:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 168.6.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | varders.kozow.com | udp |
| FR | 51.38.247.67:8081 | varders.kozow.com | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aborters.duckdns.org | udp |
| NL | 91.92.255.235:8081 | aborters.duckdns.org | tcp |
| US | 8.8.8.8:53 | 235.255.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2616-0-0x0000000000B90000-0x0000000000C78000-memory.dmp
memory/2616-1-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/2616-2-0x0000000005C00000-0x00000000061A4000-memory.dmp
memory/2616-3-0x00000000056F0000-0x0000000005782000-memory.dmp
memory/2616-4-0x0000000005600000-0x0000000005610000-memory.dmp
memory/2616-5-0x0000000005690000-0x000000000569A000-memory.dmp
memory/2616-6-0x0000000005B90000-0x0000000005BAC000-memory.dmp
memory/2616-7-0x0000000005BC0000-0x0000000005BD4000-memory.dmp
memory/2616-8-0x0000000006B10000-0x0000000006B78000-memory.dmp
memory/2616-9-0x0000000009230000-0x00000000092CC000-memory.dmp
memory/2616-10-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/2616-11-0x0000000005600000-0x0000000005610000-memory.dmp
memory/4844-12-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ-20240129.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/4844-15-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/2616-17-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/4844-16-0x0000000005300000-0x0000000005310000-memory.dmp
memory/4844-18-0x0000000074AC0000-0x0000000075270000-memory.dmp
memory/4844-19-0x0000000005300000-0x0000000005310000-memory.dmp
memory/4844-20-0x00000000065A0000-0x00000000065F0000-memory.dmp
memory/4844-21-0x00000000067C0000-0x0000000006982000-memory.dmp