Overview

overview

10

Static

static

1

RFQ_List.exe

windows10-1703-x64

10

Maidenliness.ps1

windows10-1703-x64

8

Analysis

  • max time kernel
    599s
  • max time network
    414s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-ja
  • resource tags

    arch:x64arch:x86image:win10-20240404-jalocale:ja-jpos:windows10-1703-x64systemwindows
  • submitted
    23-10-2024 04:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ_List.exe

  • Size

    905KB

  • MD5

    27393ac93e0c60c934afa5ccdfc7c529

  • SHA1

    e1989ce514efd53819be62e8aa4c51975da0b3e0

  • SHA256

    66f7ca7287b5118119d8e6b8d55222d7662da16c12345a6122a28b64702ae69b

  • SHA512

    672583e3937f3f5f5e84843913da032d5f6d6d32c759758e37710dff340973f9f0c77fb8f5b7b176b26edddec5851aa4902deb103b277b7403ea57d88292b438

  • SSDEEP

    24576:dbusrIDaWLwBhB9XE/2D6lm7Pytae6/B1GX:SX8zB9XQ2gm7OjGB1GX

Score
10/10
snakekeyloggercollectiondiscoveryevasionexecutionkeyloggerstealertrojan

Malware Config

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Blocklisted process makes network request 15 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ_List.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ_List.exe"
    1⤵
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:86284
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Noncuriousness=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37';$Objektiviserende=$Noncuriousness.SubString(53938,3);.$Objektiviserende($Noncuriousness)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:181616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    854B

    MD5

    e935bc5762068caf3e24a2683b1b8a88

    SHA1

    82b70eb774c0756837fe8d7acbfeec05ecbf5463

    SHA256

    a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

    SHA512

    bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    1KB

    MD5

    76b2de4276a82861ed2fc9622aca4532

    SHA1

    121d53d4ccd29ff917c424c703a718f4ce811172

    SHA256

    a5d281814ab7745a410c2de4e66244f253662f3c78fdc0d2a280632afab807e4

    SHA512

    de2758ac45fd6d48008c9ad0f58e71d064e6284f8665cd09794f9d1a6d6c2747ed7c9be6f6a784c530b72290c0de015849e9a650e2ddd7172dda1dba79562605

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
    Filesize

    471B

    MD5

    ed2bc277627fe9729bb6e14fc0ca8651

    SHA1

    45904821d33b90391b60e1c78283343b40167f79

    SHA256

    7d3aa148aa339df14b24d65c7ec460b0bec9067dee838ef9a48a1028e393a99b

    SHA512

    e02dd1357820ef6824580e5d9277ffcaa8540f936ae076de3dca4a61c2ab4ad0b4d1b024a171473bbd65bd8a9cf27f46167f3f38be04d56280b7348abe23440a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    Filesize

    4KB

    MD5

    1bfe591a4fe3d91b03cdf26eaacd8f89

    SHA1

    719c37c320f518ac168c86723724891950911cea

    SHA256

    9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

    SHA512

    02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
    Filesize

    472B

    MD5

    452e11716ea4843afe2f66561e31bed5

    SHA1

    36e2c61b5ead22352683945567e75f3bfbfc6b3c

    SHA256

    9daa8523616103e9dd1f7ba52b95b16fcf1b6935d43488db6abf5467dceab917

    SHA512

    b9089c671248e5a4b47742756da9837ae49da54a9cd3072624266adaaf69bcc32dabde6fcd1b7529ec6fefa3b127ec745ce425f3de22bc3cff1b922be8075d89

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
    Filesize

    170B

    MD5

    29e0d3c1984e286ba17086ca4fe01d9c

    SHA1

    1c460fcc2066ab3e0bfccb8fd41dd9b22d2edc19

    SHA256

    e5e7f628e55d0264381f690e4d369d0163c0ab164ed90b9aeaaaaaf5aafe7914

    SHA512

    03fb0fc95ebfb44d3ce901bc9630e52fd18b963f7e44b88b4c6b9ac9d6682dc1fb2b8e6b95b84be158b74f2ff8c6a9137ab6107807e40d112b9be1f9bf007977

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
    Filesize

    410B

    MD5

    7c66ba37bfe88b9879e78d451abef35e

    SHA1

    25bb675d54634253806ce8711415f76e649f4913

    SHA256

    6fdb44c3487ea204db5303dd83eb2844dfed7002f44963dfd99e85539742b2cd

    SHA512

    ae72d42a78de90f9036ab644e08ee999067add6a0e16e32267fd8dc82a6530a436cecb9a89bbfb5af4f54f2704a3370b818d7f797de557b86529e82ef9413222

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
    Filesize

    406B

    MD5

    3918bfd40261a0882944ccc8cac06fbf

    SHA1

    b4eddfd8ded7204415a913a25c774a0167f03934

    SHA256

    1a40abc7d57bd637ba6a4be9050df4899a0bc4d2937830cf77dabf140ea2ea53

    SHA512

    2ee4a50c2eac196e8f36b9ca3e51ae6cd723d9060a8992903512022de86f0e57c323e49f8e582ebc06a4b4096200377f861c44d732706be126e2cb4b11fb6b5b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    Filesize

    338B

    MD5

    cd4273e3a5aaacf8dd19c204bae7eacd

    SHA1

    4c66beb1a6a0b18450d154dbdfe92ee844cd787b

    SHA256

    048660af942ebd3abef243f401aa5abb5df7636e253850fb67f221f71de33e49

    SHA512

    4a47e9583bdfe06c53e21bbde3f8a140db60058ef207495b324cefce7de729d776ec8a6dcfd30432c18eebab26ef13d4788e95387d91e716869f0f780bab036a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
    Filesize

    402B

    MD5

    72ce99b92d983907d8c76c5918d1e7f9

    SHA1

    7cbcbe1f355d007cb2187bf4b1ed2dd7256d4e4c

    SHA256

    c8f16a9fb4661544a070a337b5cacc9c57ea1f646326782ae22d3f891364bf37

    SHA512

    fe4e8a9a7047310192ab0d2826e10338438772c81bfbb0336772a87080e74939ec3ff11c5344adc47f9cb213a0ce06ca4d1472b85cfa892afd6d2fc7d02ed7a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Damascenere.lnk
    Filesize

    775B

    MD5

    fb241d07e8b3558780b49a931067493f

    SHA1

    ed95b20fead530b5877817a20a8b629cd25f95b5

    SHA256

    62ad1d76ff6fd74fb79518f040a9f3b8823bb2d02c59b99d0e26a1f186c6e298

    SHA512

    a848644033ea3b2066de5847b1201ee6b766ea7405ba1adc7565c8e4dacc26513a4564b6d65850fe4bd49c84391bc5a5241b8603fa56cfb72352ac06dd621c8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Damascenere.lnk
    Filesize

    821B

    MD5

    8bab97a7c73dc53f3a92ececdf91b674

    SHA1

    a59adc96408cd84caa283280546b7d16875fea9f

    SHA256

    819d69eccd15642d01380f6e6c1d5a5fba5ad62d25ed5b604b5cd8f96d290e32

    SHA512

    75388ab37d3e8eb018042f37e2b2a7ad0d6dd0565b662455fa802b2635468946e925e52bd1ed647b7aa81acbdcdf21eda5810981cf0359e24868aa250cc79ecb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    45KB

    MD5

    0c644b07fe7e6c0deb8333c4c128303b

    SHA1

    3f618bd00e5f868e07da84bb9fd87dc42aef3ed6

    SHA256

    d500f1185b5eb203a50caed321603b759a63871cbfdab663e761df5f59c99db6

    SHA512

    a752e392c68402fcae03015ea98a01c82a2b3f806be61b1c260550f64230f9b30380aae3f6e7ab0de5e65f95d6aec9543a348026e42f71f8794771d210e2bb53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zczxxea.wtd.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Maidenliness.Hal37
    Filesize

    52KB

    MD5

    f80de07a4ce30153f8406db6a12af56e

    SHA1

    bbe21fa2d5c1c6f2cad16333a3d095547f3426d2

    SHA256

    510d5a55e94d189ab5afadb87a4fb0be42220646e2b2cb470511c3055c0eeba6

    SHA512

    248a69f2a9ba266d4a571646f2235f67833edf425f3a0350becd520cc941b556bccd863ec8270de81ee48dc91bcc8f5a9bc71e51a89fd4eed529c843f1e43428

    Download Submit

  • C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Pedanter.Dou
    Filesize

    320KB

    MD5

    489a9469b8457a7dad8c174d89221366

    SHA1

    52da5892b83416d9328eec4a15b5c217ee08c1f0

    SHA256

    b150f922d2266e7e99c0fc7e5aa565becc5671daea479980b741adc1d99b2be2

    SHA512

    c788bf86225c25df3c4020012d38a68cf107bfeb18b7c43adf20e2969c9cf35bd2e959dd8c67337dfed2fb677ecb749e6d9634f0b5caa548f10971c4295e2473

    Download Submit

  • C:\Windows\Resources\Nebengeschfter.ini
    Filesize

    32B

    MD5

    53898e643bd3e0ca22a462325ad62da4

    SHA1

    e0f08a75fa5219f39e49c1b9f361119905da7d02

    SHA256

    b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff

    SHA512

    aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca

    Download Submit

  • memory/3656-7020-0x0000000009470000-0x00000000094B8000-memory.dmp

    Filesize

    288KB

    Download

  • memory/3656-4548-0x000000006EF80000-0x000000006EFCB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3656-4549-0x000000006F0D0000-0x000000006F420000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4532-184-0x0000000008220000-0x000000000826B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4532-179-0x0000000007360000-0x0000000007370000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4532-366-0x0000000009A00000-0x0000000009EFE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4532-363-0x0000000009410000-0x0000000009432000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4532-374-0x000000000A580000-0x000000000ABF8000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4532-2396-0x000000006EF80000-0x000000006EFCB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4532-2397-0x000000006F0D0000-0x000000006F420000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4532-2402-0x0000000009840000-0x000000000985E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4532-2395-0x0000000009860000-0x0000000009893000-memory.dmp

    Filesize

    204KB

    Download

  • memory/4532-2407-0x0000000009930000-0x00000000099D5000-memory.dmp

    Filesize

    660KB

    Download

  • memory/4532-3123-0x0000000009F80000-0x0000000009FA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4532-2936-0x0000000009F50000-0x0000000009F7A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4532-3550-0x0000000009F80000-0x0000000009F96000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4532-3830-0x0000000009FB0000-0x0000000009FB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4532-361-0x0000000009370000-0x0000000009404000-memory.dmp

    Filesize

    592KB

    Download

  • memory/4532-187-0x0000000008520000-0x0000000008596000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4532-5196-0x000000000A090000-0x000000000A0B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4532-183-0x0000000007F80000-0x0000000007F9C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4532-180-0x0000000008040000-0x000000000814E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4532-23221-0x0000000072380000-0x0000000072A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4532-23220-0x000000007238E000-0x000000007238F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4532-38524-0x0000000072380000-0x0000000072A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4532-40190-0x000000000AC00000-0x000000000FA44000-memory.dmp

    Filesize

    78.3MB

    Download

  • memory/4532-362-0x0000000009300000-0x000000000931A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4532-609635-0x0000000072380000-0x0000000072A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4532-165-0x000000007238E000-0x000000007238F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4532-168-0x0000000004B20000-0x0000000004B56000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4532-169-0x0000000072380000-0x0000000072A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4532-178-0x0000000007BE0000-0x0000000007F30000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4532-177-0x0000000007A70000-0x0000000007AD6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4532-176-0x0000000007A00000-0x0000000007A66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4532-175-0x0000000007310000-0x0000000007332000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4532-174-0x0000000007270000-0x0000000007302000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4532-173-0x0000000072380000-0x0000000072A6E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4532-170-0x00000000073D0000-0x00000000079F8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/86284-1025655-0x0000000003400000-0x0000000004783000-memory.dmp

    Filesize

    19.5MB

    Download

  • memory/86284-930211-0x0000000003400000-0x0000000004783000-memory.dmp

    Filesize

    19.5MB

    Download

  • memory/86284-1045528-0x0000000003400000-0x0000000004783000-memory.dmp

    Filesize

    19.5MB

    Download

  • memory/86284-1045727-0x0000000003400000-0x0000000003426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/86284-1045728-0x0000000027400000-0x000000002749C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/181616-1043870-0x00000000030D0000-0x0000000004453000-memory.dmp

    Filesize

    19.5MB

    Download

  • memory/181616-1046568-0x00000000030D0000-0x00000000030F6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/181616-1046369-0x00000000030D0000-0x0000000004453000-memory.dmp

    Filesize

    19.5MB

    Download

  • memory/181616-1046600-0x0000000026B00000-0x0000000026B14000-memory.dmp

    Filesize

    80KB

    Download

  • memory/181616-1046603-0x00000000273F0000-0x00000000275B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/181616-1046620-0x0000000027220000-0x00000000272B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/181616-1046621-0x0000000026B70000-0x0000000026B7A000-memory.dmp

    Filesize

    40KB

    Download