Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    snake keylogger.zip

  • Size

    509KB

  • Sample

    221017-qd8j9acafp

  • MD5

    12400caec5de2bdc39d90ed3aa333f36

  • SHA1

    33bb9d1ba647c542fe89940d2acfd059ca18bfc8

  • SHA256

    3bc8db6d86cd166bd99ccbda398625cfbf1015529b7432c22db08a9030dfa87e

  • SHA512

    fc59125f1e2fbff24e2f469079239cf8d7890c71573c3a3598ae992ef7aab387612fda3032f39da0758b0812945935a726fcc0f59fb8a6f9f4161383c8fd19cf

  • SSDEEP

    12288:k3z3kqjMl5/6I+pl82NVNBsFjIIkrkzPXWLB8be:k3z3kmkI52jgwe98C

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5336386315:AAFr4275liluBmKq3DdynSzdvBY-y98fXrU/sendMessage?chat_id=1736922894

Targets

    • Target

      b494899f8b5837b0fd6c11cf251967fecd3a77c73bf19b688813d6da1d04ec5e.exe

    • Size

      798KB

    • MD5

      d6e177e8a6efdbb56fc0c4bbc8d38bc1

    • SHA1

      2e74ee7b4684c4b2792fc544a46b406342282490

    • SHA256

      b494899f8b5837b0fd6c11cf251967fecd3a77c73bf19b688813d6da1d04ec5e

    • SHA512

      1e20b6e80ab27d7781600611a397dd24bcf5392928c23466a4404186e15c2aa3ef2e8f179b8858f35dea41e0f5c3ddead49245b4a6f78c2067421643b4fca4b7

    • SSDEEP

      12288:/wRfEuYbi5DyeIwAgw8PWb3DkY4pR/SxazhMo8TpCRGr8rCqDmut:lmF5w8PWbgjhMoqpi1

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks