General
-
Target
Quotation.pdf.z
-
Size
695KB
-
Sample
230609-saavxscd58
-
MD5
914c47b25aebed13253c66265ab1b6e4
-
SHA1
289f0a255ac3ec0b3e9b1e5ceb00453a5b1dca68
-
SHA256
32dce7392d6a5e6e91e50ea01f4e78875d83aad4d624dcb43cad64269bf8db17
-
SHA512
f50445ff2f8177f47e8f51767dee27ea31a43b1f298c73539e0731a0788dd8338fe035f57c639b5f02665ae7a0aaed042b3490588a77dc923b559fd005ef177e
-
SSDEEP
12288:5T6XrO3tjWMjaSiQXsz1EjTjktl9uIstSqFTN/+dcBmFYPwHQMgO4NDUmVzBnD0p:oXi3tyMjaWBjTjkn9uLvr/kc+YPwJbiw
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
Protocol: smtp- Host:
siamtmc.com - Port:
587 - Username:
sompong@siamtmc.com - Password:
s0mp0ng06
Extracted
snakekeylogger
Protocol: smtp- Host:
siamtmc.com - Port:
587 - Username:
sompong@siamtmc.com - Password:
s0mp0ng06 - Email To:
rufat@nep-az.com
Targets
-
-
Target
Quotation.exe
-
Size
753KB
-
MD5
6a6816bc6f0c4e9da9f8b5ed0863eed1
-
SHA1
56d2c76029c5d2036a697f2b9f1e5f9564f7c2ee
-
SHA256
a278b60ab0bd9823527c0d86509a3a5f31f107e4f8e70761cd62395e27738a0f
-
SHA512
ad7830f9a85858ce057832611527fddd4d6bc0ad0a01a1d6dd362fd360ef354f405a627d123aba42987e4cdffc1b36a4940e4ec59c1df43e8394f5fe2cf56b4e
-
SSDEEP
12288:rKewx/NscEQ+vgXK1Hsa+cmKo1W5qlp1HoADehqfx7b5w4JC2Off03i0mMRry8B+:eewlqB6p5pKosquA0a7C4JCan9y8Ae5Q
Score10/10-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-