Overview

overview

10

Static

static

3

P.O 3805.exe

windows7-x64

10

P.O 3805.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    P.O 3805.PDF.z

  • Size

    494KB

  • Sample

    230609-xwwrqsda93

  • MD5

    7fca74aa3d889f511284042cd24ae33e

  • SHA1

    08495d3af654659a8ac64d8b162bad4a64cbd470

  • SHA256

    e89dcb9021fc349ad0a05bfdb6ebcdddb405d8f172aaa8f399f8ec0ab9c99d58

  • SHA512

    fec61a46c0e9293628bf2a1c6ee8088b5cc4d05ddd514c53feb10ce070b9cd915aebef6883393fa5f90644dca6905a290da4123c5ca82d22f8576cbe9f8751cb

  • SSDEEP

    12288:suiCWwNBt6DLGPUFXWc4jvtKjUBvlQl2ZQWJ:su4wNBt6DLGSWOjpPWJ

Score
10/10
snakekeyloggercollectionkeyloggerspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    siamtmc.com
  • Port:
    587
  • Username:
    sompong@siamtmc.com
  • Password:
    s0mp0ng06

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    siamtmc.com
  • Port:
    587
  • Username:
    sompong@siamtmc.com
  • Password:
    s0mp0ng06
  • Email To:
    rufat@nep-az.com

Targets

    • Target

      P.O 3805.exe

    • Size

      820KB

    • MD5

      15acff30d0935be4d601433d66db1734

    • SHA1

      3f115bfb24158a31b475b4fa314c8a7ec476ab32

    • SHA256

      3aba02f8b1e468adf8164eb3932c56bf1082cad0f3c94a9b315e51ced8526669

    • SHA512

      bea047c63a4cdf85eebfb80cda7fb6f028f489053d4b2ad5ad88f7bc75d11641a9c454469d4f0b61a056ef3ad229e0a87b3a55d5d68fbc0706ddd68d076a9f4e

    • SSDEEP

      6144:kECzU9V2fTa7sH/T1pJthdc31GlS/oZ/6fZUcHpVDDMhn6TFh/Dn3R4EVm8LMGsW:/aI31GeueJDMMFhjRxMGrd2UswtN3a

    Score
    10/10
    snakekeyloggercollectionkeyloggerspywarestealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks