Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    tmp

  • Size

    504KB

  • Sample

    230202-ek72hseg73

  • MD5

    9dc5600bedda76a29aa0e33da951fc30

  • SHA1

    9daa8192ef8b03ee276de60e656a56b88ec2d074

  • SHA256

    e966cd1651a960bc88f3582b328d274b2cbf2b84d59df761cbcd1702c38d5a14

  • SHA512

    96e37c9a6342d09799138a97e1928d595aabf36ee5a250d7bba5c3397117a6bb0d19063cf305e1af6799aad6fbeb9257d429454340953203118fa288a0f74804

  • SSDEEP

    12288:8RFO4oYvuoQouswXH06WAx5HSbr8z9i7+pvdCWtO:8TO4UdrE6J4r8zw6Rsh

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ROe!AB$3

Targets

    • Target

      tmp

    • Size

      504KB

    • MD5

      9dc5600bedda76a29aa0e33da951fc30

    • SHA1

      9daa8192ef8b03ee276de60e656a56b88ec2d074

    • SHA256

      e966cd1651a960bc88f3582b328d274b2cbf2b84d59df761cbcd1702c38d5a14

    • SHA512

      96e37c9a6342d09799138a97e1928d595aabf36ee5a250d7bba5c3397117a6bb0d19063cf305e1af6799aad6fbeb9257d429454340953203118fa288a0f74804

    • SSDEEP

      12288:8RFO4oYvuoQouswXH06WAx5HSbr8z9i7+pvdCWtO:8TO4UdrE6J4r8zw6Rsh

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks