Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 16:54
Static task
static1
Behavioral task
behavioral1
Sample
REQUEST FOR QUOTATION E230830F2.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
REQUEST FOR QUOTATION E230830F2.exe
Resource
win10v2004-20230915-en
General
-
Target
REQUEST FOR QUOTATION E230830F2.exe
-
Size
560KB
-
MD5
5bef2b26267e7cfbc2d8c02404627ccd
-
SHA1
8ee2fe6bb21ff176100bc9403e060a4aa2021403
-
SHA256
de3b0df29cca773ff488c9e27f051b767fa7bd93ae9fedd5db91037de48615ca
-
SHA512
386bf359c6c6acc6ea0071c24efd7f1beea3930c1c2045c0c6c71fd1f8f2ca1caeb1506c1c0aca24abe022c7ad061a3d1a5531aa74b52f9578f931ffa0aad6fe
-
SSDEEP
12288:kY2AfDuHOXDAMfAkcOJJy5CoKHLw+wEcryuleCWp8N7:kY2gxf2OXy5CoCLJwyule
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.xantara.com.my - Port:
587 - Username:
[email protected] - Password:
Limetree342983! - Email To:
[email protected]
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3432-12-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
REQUEST FOR QUOTATION E230830F2.exedescription pid process target process PID 3092 set thread context of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
REQUEST FOR QUOTATION E230830F2.exeRegSvcs.exepid process 3092 REQUEST FOR QUOTATION E230830F2.exe 3092 REQUEST FOR QUOTATION E230830F2.exe 3432 RegSvcs.exe 3432 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
REQUEST FOR QUOTATION E230830F2.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3092 REQUEST FOR QUOTATION E230830F2.exe Token: SeDebugPrivilege 3432 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
REQUEST FOR QUOTATION E230830F2.exedescription pid process target process PID 3092 wrote to memory of 3528 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3528 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3528 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe PID 3092 wrote to memory of 3432 3092 REQUEST FOR QUOTATION E230830F2.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION E230830F2.exe"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION E230830F2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:3528
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3432