Overview

overview

10

Static

static

1

RFQ_List.exe

windows7-x64

8

RFQ_List.exe

windows10-2004-x64

10

Maidenliness.ps1

windows7-x64

3

Maidenliness.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ_List.exe

  • Size

    905KB

  • MD5

    27393ac93e0c60c934afa5ccdfc7c529

  • SHA1

    e1989ce514efd53819be62e8aa4c51975da0b3e0

  • SHA256

    66f7ca7287b5118119d8e6b8d55222d7662da16c12345a6122a28b64702ae69b

  • SHA512

    672583e3937f3f5f5e84843913da032d5f6d6d32c759758e37710dff340973f9f0c77fb8f5b7b176b26edddec5851aa4902deb103b277b7403ea57d88292b438

  • SSDEEP

    24576:dbusrIDaWLwBhB9XE/2D6lm7Pytae6/B1GX:SX8zB9XQ2gm7OjGB1GX

Score
10/10
snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Blocklisted process makes network request 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ_List.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ_List.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:920
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:3404
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1900
          4⤵
          • Program crash
          PID:2444
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3404 -ip 3404
    1⤵
      PID:4988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
      Filesize

      854B

      MD5

      e935bc5762068caf3e24a2683b1b8a88

      SHA1

      82b70eb774c0756837fe8d7acbfeec05ecbf5463

      SHA256

      a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

      SHA512

      bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      1KB

      MD5

      76b2de4276a82861ed2fc9622aca4532

      SHA1

      121d53d4ccd29ff917c424c703a718f4ce811172

      SHA256

      a5d281814ab7745a410c2de4e66244f253662f3c78fdc0d2a280632afab807e4

      SHA512

      de2758ac45fd6d48008c9ad0f58e71d064e6284f8665cd09794f9d1a6d6c2747ed7c9be6f6a784c530b72290c0de015849e9a650e2ddd7172dda1dba79562605

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
      Filesize

      471B

      MD5

      ed2bc277627fe9729bb6e14fc0ca8651

      SHA1

      45904821d33b90391b60e1c78283343b40167f79

      SHA256

      7d3aa148aa339df14b24d65c7ec460b0bec9067dee838ef9a48a1028e393a99b

      SHA512

      e02dd1357820ef6824580e5d9277ffcaa8540f936ae076de3dca4a61c2ab4ad0b4d1b024a171473bbd65bd8a9cf27f46167f3f38be04d56280b7348abe23440a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
      Filesize

      472B

      MD5

      452e11716ea4843afe2f66561e31bed5

      SHA1

      36e2c61b5ead22352683945567e75f3bfbfc6b3c

      SHA256

      9daa8523616103e9dd1f7ba52b95b16fcf1b6935d43488db6abf5467dceab917

      SHA512

      b9089c671248e5a4b47742756da9837ae49da54a9cd3072624266adaaf69bcc32dabde6fcd1b7529ec6fefa3b127ec745ce425f3de22bc3cff1b922be8075d89

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
      Filesize

      170B

      MD5

      9224a0d544f947ec46294c488132b9a3

      SHA1

      ec869feca2a6c19ae6d62ab9ad3247ebad4e0c15

      SHA256

      884a0925f50819890e08baf5e10263cd427930196647349d6d5fa8677e06812a

      SHA512

      5e89cec0508d52ee57c55d0b368d59a5b1dd273f4e3d8c17df4757f316faee0d98b344dc9481cdd21de315afbfc698e1b9fbe153c0111c135c911603999ef32e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
      Filesize

      410B

      MD5

      0a5fd193247c3c160d916815f61b801b

      SHA1

      0f7f2eec409dd598c2c19cd8ab9a9310033c5c3f

      SHA256

      cbf3892ae1625329d9a69ff2e4030e877ed0adb2c035eecc80d8a9bd88a86951

      SHA512

      c2db05c3284eeef9f6083ea6931fdbb85572ee6d397c5d5432615a3695e1443c29bc7db6f973f548fd5d46423fe1bcd32024456fcf61f34eb3918fbf92ecf6ab

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
      Filesize

      406B

      MD5

      2af1c4f7f2493398922103e38b6e6938

      SHA1

      9ec25310ddea7bc5d87b953da5ca53cd7a0791ba

      SHA256

      30bb75960292d170abd7dbdfe7a213ff60dc39062defc30cac5c99671e4fe4c0

      SHA512

      e0582a0bb39af62d032f42b327f801cd342219c53760e62ccb41cbad172a591df424101772e70c41b8d07bd8cdc16976dfe4269948594aaffe10a6677951e209

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
      Filesize

      402B

      MD5

      d8e25551ff67c87abe826b54caa79004

      SHA1

      3c5f26bad3185f1ccdf7894a31c5d8776d7b0557

      SHA256

      09f49e020363cdeea02557248c72169e07f3cb3e3f43906a30f8a6633a4ca18c

      SHA512

      e2f2a39abc1c104a4ba20bdd8ee5d2f84f4c9c64a4e617f058f2149da941115ae080e67530a7d2961db16380ef540fceac68856ddd34ab5bb46083553a415ea3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Damascenere.lnk
      Filesize

      821B

      MD5

      8bab97a7c73dc53f3a92ececdf91b674

      SHA1

      a59adc96408cd84caa283280546b7d16875fea9f

      SHA256

      819d69eccd15642d01380f6e6c1d5a5fba5ad62d25ed5b604b5cd8f96d290e32

      SHA512

      75388ab37d3e8eb018042f37e2b2a7ad0d6dd0565b662455fa802b2635468946e925e52bd1ed647b7aa81acbdcdf21eda5810981cf0359e24868aa250cc79ecb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Damascenere.lnk
      Filesize

      775B

      MD5

      fb241d07e8b3558780b49a931067493f

      SHA1

      ed95b20fead530b5877817a20a8b629cd25f95b5

      SHA256

      62ad1d76ff6fd74fb79518f040a9f3b8823bb2d02c59b99d0e26a1f186c6e298

      SHA512

      a848644033ea3b2066de5847b1201ee6b766ea7405ba1adc7565c8e4dacc26513a4564b6d65850fe4bd49c84391bc5a5241b8603fa56cfb72352ac06dd621c8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      53KB

      MD5

      01404e51f6442f60e478c306b1e6e52e

      SHA1

      37f234ccf5611b8309023410ceb9e76ad81f5678

      SHA256

      d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b

      SHA512

      94a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ldz4gklh.odw.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37
      Filesize

      52KB

      MD5

      f80de07a4ce30153f8406db6a12af56e

      SHA1

      bbe21fa2d5c1c6f2cad16333a3d095547f3426d2

      SHA256

      510d5a55e94d189ab5afadb87a4fb0be42220646e2b2cb470511c3055c0eeba6

      SHA512

      248a69f2a9ba266d4a571646f2235f67833edf425f3a0350becd520cc941b556bccd863ec8270de81ee48dc91bcc8f5a9bc71e51a89fd4eed529c843f1e43428

      Download Submit

    • C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Pedanter.Dou
      Filesize

      320KB

      MD5

      489a9469b8457a7dad8c174d89221366

      SHA1

      52da5892b83416d9328eec4a15b5c217ee08c1f0

      SHA256

      b150f922d2266e7e99c0fc7e5aa565becc5671daea479980b741adc1d99b2be2

      SHA512

      c788bf86225c25df3c4020012d38a68cf107bfeb18b7c43adf20e2969c9cf35bd2e959dd8c67337dfed2fb677ecb749e6d9634f0b5caa548f10971c4295e2473

      Download Submit

    • C:\Windows\Resources\Nebengeschfter.ini
      Filesize

      32B

      MD5

      53898e643bd3e0ca22a462325ad62da4

      SHA1

      e0f08a75fa5219f39e49c1b9f361119905da7d02

      SHA256

      b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff

      SHA512

      aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca

      Download Submit

    • memory/640-170-0x0000000005CC0000-0x0000000005D26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/640-184-0x0000000006350000-0x000000000639C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/640-187-0x00000000073C0000-0x0000000007456000-memory.dmp

      Filesize

      600KB

      Download

    • memory/640-189-0x0000000006860000-0x0000000006882000-memory.dmp

      Filesize

      136KB

      Download

    • memory/640-190-0x0000000007A10000-0x0000000007FB4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/640-192-0x0000000008640000-0x0000000008CBA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/640-270-0x0000000007750000-0x0000000007782000-memory.dmp

      Filesize

      200KB

      Download

    • memory/640-344-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-343-0x00000000706E0000-0x000000007072C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/640-345-0x0000000070DE0000-0x0000000071134000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/640-355-0x0000000007730000-0x000000000774E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/640-356-0x00000000077A0000-0x0000000007843000-memory.dmp

      Filesize

      652KB

      Download

    • memory/640-357-0x00000000078C0000-0x00000000078CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/640-358-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-360-0x0000000007FF0000-0x000000000801A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/640-361-0x0000000008020000-0x0000000008044000-memory.dmp

      Filesize

      144KB

      Download

    • memory/640-373-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-188-0x00000000067F0000-0x000000000680A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/640-183-0x0000000006320000-0x000000000633E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/640-375-0x000000007426E000-0x000000007426F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/640-376-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-178-0x0000000005D30000-0x0000000006084000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/640-169-0x0000000005C50000-0x0000000005CB6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/640-168-0x0000000005360000-0x0000000005382000-memory.dmp

      Filesize

      136KB

      Download

    • memory/640-167-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-389-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-390-0x0000000008CC0000-0x000000000DB04000-memory.dmp

      Filesize

      78.3MB

      Download

    • memory/640-391-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-166-0x0000000005530000-0x0000000005B58000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/640-165-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-395-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-164-0x0000000002D50000-0x0000000002D86000-memory.dmp

      Filesize

      216KB

      Download

    • memory/640-399-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/640-163-0x000000007426E000-0x000000007426F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/776-362-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/776-372-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/776-400-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/776-393-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/776-392-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/776-379-0x0000000070DE0000-0x0000000071134000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/776-377-0x00000000706E0000-0x000000007072C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/776-359-0x0000000074260000-0x0000000074A10000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/920-401-0x0000000001000000-0x0000000002254000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/920-422-0x0000000001000000-0x0000000002254000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/920-423-0x0000000001000000-0x0000000001026000-memory.dmp

      Filesize

      152KB

      Download

    • memory/920-424-0x0000000024EC0000-0x0000000024F5C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/920-429-0x0000000025340000-0x0000000025390000-memory.dmp

      Filesize

      320KB

      Download

    • memory/920-430-0x0000000025B50000-0x0000000025D12000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/920-431-0x0000000025A20000-0x0000000025AB2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/920-432-0x0000000025330000-0x000000002533A000-memory.dmp

      Filesize

      40KB

      Download