Overview

overview

10

Static

static

1

REQUEST FO...er.exe

windows7-x64

10

REQUEST FO...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    501s
  • max time network
    504s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2023, 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REQUEST FOR QUOTE - AJAX Quote for tender.exe

  • Size

    962KB

  • MD5

    0cf2257d8f0ea8c72741926c8f831ad0

  • SHA1

    3b3e4b8b9eab1cbb93e9f0dd3359edf0967d8fda

  • SHA256

    36de80967b905a8119ff8a5f0871dc21086ff79c04ce3955662548c3e372de52

  • SHA512

    0b03333dfa368ab2149feaff26a6399c84f99450f861eb12e508e862a1721043a0a028c562aa4ae9052fbd9a344357e4c0cedbdffae9fdfc0ea2f198be5592ef

  • SSDEEP

    24576:ZVYNUfqBp6ROPMmJTHKb4uSYSq4s3Vg1g:MNHRTTHE1ze1

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6294963808:AAHsAyiV20w0jAQZxovKntkKJLihCbqiKkE/sendMessage?chat_id=5675280301

Signatures

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • Snake Keylogger payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE - AJAX Quote for tender.exe
    "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE - AJAX Quote for tender.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE - AJAX Quote for tender.exe
      "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE - AJAX Quote for tender.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2708-140-0x0000000000400000-0x0000000000426000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2708-142-0x0000000005780000-0x0000000005790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2708-143-0x0000000006940000-0x0000000006B02000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2708-144-0x0000000005780000-0x0000000005790000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4512-133-0x0000000000590000-0x0000000000686000-memory.dmp

    Filesize

    984KB

    Download

  • memory/4512-134-0x0000000005740000-0x0000000005CE4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4512-135-0x0000000005070000-0x0000000005102000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4512-136-0x0000000005030000-0x000000000503A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4512-137-0x0000000005020000-0x0000000005030000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4512-138-0x0000000005020000-0x0000000005030000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4512-139-0x0000000007FB0000-0x000000000804C000-memory.dmp

    Filesize

    624KB

    Download