General
-
Target
072b92084f2b1be33976bd6ab9d025c514510fbd8aaf64c2c5dae57a8c73223a
-
Size
535KB
-
Sample
240905-j5fj8awdnj
-
MD5
9524d647f2a5d91cb0cbd8548e28b34d
-
SHA1
ab71bf1dcbcf27c0509575c1cca5f1474c3434c0
-
SHA256
072b92084f2b1be33976bd6ab9d025c514510fbd8aaf64c2c5dae57a8c73223a
-
SHA512
f8c4ac803293a178ce9798d8aa07f3beb61d1f3b64ced0d9326daf0257ca5cf1b4dfa9dcf2e1f5f3f2c1cc0819233980edf13a5270223a642020ab7a5c312347
-
SSDEEP
12288:LpFF4vb4qRi6dVuW9LGCzu9CHZwGom+ZebKl2lgx5hvk+q:tFF96dBaCz/iGoFZebk5xkr
Malware Config
Targets
-
-
Target
RQF.exe
-
Size
557KB
-
MD5
45f23b46fdb2369386e67c7f44d08a0c
-
SHA1
c3150b08e3694a5c63c78a43c3caed0b7e6483c4
-
SHA256
bfa4e5031ae699c4d919e62752246cdf250c1022e571e2d3927eb65b4eb07d20
-
SHA512
7d1cb376e28c887ea2f41c17ffce239757a97b937a6cecb7826c3c6f870f9c06034978f46874d5960db4c7b3095e976a4e3bdb7568dd31105cb06aaf65b0e2d1
-
SSDEEP
12288:swLfkTboqRi6NVuk9/GCzs3CrZWSom+ZobYl2H:sw56NbOCzxwSoFZobx
Score10/10-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-