Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    2nd Invoice.xlsx

  • Size

    137KB

  • Sample

    221026-l58bcafdbr

  • MD5

    85f545db1c213dcf29928d6d8073a2ae

  • SHA1

    768d7f8e20f514c987b8e560c953b699c0ea14f6

  • SHA256

    c4371db5235bb4ec11938ec939028d39514219df1452cc7fbb5d004f57a103a1

  • SHA512

    ebc24074041b42ba85475b3edfe6b42965ef01fcd554fe7ac357767696f859f6a1e9483e7f9fefacd35e5d7e8e021e759dfc19aa4be4b131d9dcac01e421460d

  • SSDEEP

    3072:sqfbzI3VkS+wIqjRn+j/SQe1o+BCMAwGFUOgzD4:ZTzYVkOTRnCLe1o4CfGz8

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot5321688653:AAEI2yqGrOA_-sRZ3xaqutrexraSgFa0AnA/sendMessage?chat_id=5048077662

Targets

    • Target

      2nd Invoice.xlsx

    • Size

      137KB

    • MD5

      85f545db1c213dcf29928d6d8073a2ae

    • SHA1

      768d7f8e20f514c987b8e560c953b699c0ea14f6

    • SHA256

      c4371db5235bb4ec11938ec939028d39514219df1452cc7fbb5d004f57a103a1

    • SHA512

      ebc24074041b42ba85475b3edfe6b42965ef01fcd554fe7ac357767696f859f6a1e9483e7f9fefacd35e5d7e8e021e759dfc19aa4be4b131d9dcac01e421460d

    • SSDEEP

      3072:sqfbzI3VkS+wIqjRn+j/SQe1o+BCMAwGFUOgzD4:ZTzYVkOTRnCLe1o4CfGz8

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks