Overview

overview

10

Static

static

3

Quotation.exe

windows7-x64

10

Quotation.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation.pdf.z

  • Size

    695KB

  • Sample

    230609-saavxscd58

  • MD5

    914c47b25aebed13253c66265ab1b6e4

  • SHA1

    289f0a255ac3ec0b3e9b1e5ceb00453a5b1dca68

  • SHA256

    32dce7392d6a5e6e91e50ea01f4e78875d83aad4d624dcb43cad64269bf8db17

  • SHA512

    f50445ff2f8177f47e8f51767dee27ea31a43b1f298c73539e0731a0788dd8338fe035f57c639b5f02665ae7a0aaed042b3490588a77dc923b559fd005ef177e

  • SSDEEP

    12288:5T6XrO3tjWMjaSiQXsz1EjTjktl9uIstSqFTN/+dcBmFYPwHQMgO4NDUmVzBnD0p:oXi3tyMjaWBjTjkn9uLvr/kc+YPwJbiw

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    siamtmc.com
  • Port:
    587
  • Username:
    sompong@siamtmc.com
  • Password:
    s0mp0ng06

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    siamtmc.com
  • Port:
    587
  • Username:
    sompong@siamtmc.com
  • Password:
    s0mp0ng06
  • Email To:
    rufat@nep-az.com

Targets

    • Target

      Quotation.exe

    • Size

      753KB

    • MD5

      6a6816bc6f0c4e9da9f8b5ed0863eed1

    • SHA1

      56d2c76029c5d2036a697f2b9f1e5f9564f7c2ee

    • SHA256

      a278b60ab0bd9823527c0d86509a3a5f31f107e4f8e70761cd62395e27738a0f

    • SHA512

      ad7830f9a85858ce057832611527fddd4d6bc0ad0a01a1d6dd362fd360ef354f405a627d123aba42987e4cdffc1b36a4940e4ec59c1df43e8394f5fe2cf56b4e

    • SSDEEP

      12288:rKewx/NscEQ+vgXK1Hsa+cmKo1W5qlp1HoADehqfx7b5w4JC2Off03i0mMRry8B+:eewlqB6p5pKosquA0a7C4JCan9y8Ae5Q

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks