Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Product List.exe

  • Size

    211KB

  • Sample

    220926-hfr2aabaaj

  • MD5

    16b097f9953854b7f1c0c046ec34d366

  • SHA1

    1cd3ff8497afb31a9ba5280ef0d8d939689ea597

  • SHA256

    6657fc401ddcb3ffdbe0d45b7850f9a2bccef46d42469b825cd890557a351693

  • SHA512

    43f6313cd2831b9885c7eb851b1ed97743904e7e2d444acacddfb69388beb1743a2f931a115524270d953d5255bc0558bdf5ca22308e3d714205482c3f6f8230

  • SSDEEP

    1536:FOW5VXt2AfixzZ/widSImSU969OSuzrX:FOAQw09qX

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Product List.exe

    • Size

      211KB

    • MD5

      16b097f9953854b7f1c0c046ec34d366

    • SHA1

      1cd3ff8497afb31a9ba5280ef0d8d939689ea597

    • SHA256

      6657fc401ddcb3ffdbe0d45b7850f9a2bccef46d42469b825cd890557a351693

    • SHA512

      43f6313cd2831b9885c7eb851b1ed97743904e7e2d444acacddfb69388beb1743a2f931a115524270d953d5255bc0558bdf5ca22308e3d714205482c3f6f8230

    • SSDEEP

      1536:FOW5VXt2AfixzZ/widSImSU969OSuzrX:FOAQw09qX

    • Modifies WinLogon for persistence

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks