Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    183d1817d663aea372474a6439c688b7.exe

  • Size

    799KB

  • Sample

    220921-f91t6sfce2

  • MD5

    183d1817d663aea372474a6439c688b7

  • SHA1

    39a70f9ca530dcb2d580bcafac1ead0469cc3646

  • SHA256

    c7458b9f208f81019043555a3ff23fb620ac9341fb463f9c11f9166c92f8580b

  • SHA512

    eaf9e0cd295421717139245f6398acd45f972c92aa5957d0118d3828bcb2b89c16c5ab1bcdc7005439933b6dab7f3e5797afa759f31e8f6a19f9963824e255bb

  • SSDEEP

    6144:4Ilfih0m+3no6/PNLf3tv6C5F2m9XD5656fgPeE85qKJPwZ6cFmJl0jon+eAUCfj:n7C8FDzczO5qKJsccKsOviml0MqzCv

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Targets

    • Target

      183d1817d663aea372474a6439c688b7.exe

    • Size

      799KB

    • MD5

      183d1817d663aea372474a6439c688b7

    • SHA1

      39a70f9ca530dcb2d580bcafac1ead0469cc3646

    • SHA256

      c7458b9f208f81019043555a3ff23fb620ac9341fb463f9c11f9166c92f8580b

    • SHA512

      eaf9e0cd295421717139245f6398acd45f972c92aa5957d0118d3828bcb2b89c16c5ab1bcdc7005439933b6dab7f3e5797afa759f31e8f6a19f9963824e255bb

    • SSDEEP

      6144:4Ilfih0m+3no6/PNLf3tv6C5F2m9XD5656fgPeE85qKJPwZ6cFmJl0jon+eAUCfj:n7C8FDzczO5qKJsccKsOviml0MqzCv

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks