Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Withdrawal Authorization Letter.exe

  • Size

    882KB

  • Sample

    221019-gw3x2sehc2

  • MD5

    ab51fcab2443142fb70bb50872407815

  • SHA1

    c50331ac38b78963d45230c57927c18be34638e9

  • SHA256

    1f9a0cce25f1860e53b471745a001b8d868ce4d96c3d5365c6c3d39c8b7ceb04

  • SHA512

    2d7f8c53add06e86528d12899565ee0c848f20903c9092b2bff1e3a4c842343fd82c66801d43e90bf0e111b9465bd59bffe5f8619daf989631954f92b3c64756

  • SSDEEP

    12288:i6WTGfEuEKW/CyXfwA/7k35yVHLnVheEEcIc/aZLBNcKii/ARh:eZKwCkfL/AGqHlciugg

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Withdrawal Authorization Letter.exe

    • Size

      882KB

    • MD5

      ab51fcab2443142fb70bb50872407815

    • SHA1

      c50331ac38b78963d45230c57927c18be34638e9

    • SHA256

      1f9a0cce25f1860e53b471745a001b8d868ce4d96c3d5365c6c3d39c8b7ceb04

    • SHA512

      2d7f8c53add06e86528d12899565ee0c848f20903c9092b2bff1e3a4c842343fd82c66801d43e90bf0e111b9465bd59bffe5f8619daf989631954f92b3c64756

    • SSDEEP

      12288:i6WTGfEuEKW/CyXfwA/7k35yVHLnVheEEcIc/aZLBNcKii/ARh:eZKwCkfL/AGqHlciugg

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks