Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Statement of account.exe

  • Size

    302KB

  • Sample

    230207-vfpblsga2s

  • MD5

    d92663659acec15e0167ee7500634e59

  • SHA1

    965657d95f52be3a91f7f784503ec287dace934c

  • SHA256

    77dab247203f103e2c7e5139d3d67cc41c2d375bdfb56b9fa902c53a4079a489

  • SHA512

    a7aeb3dcdb1818b48c54668d98d29c1167d47e3a679141402c9ea83aa3bcb186e841cf046cee29bb7513a50b82852e616f6010985e53c25990a750ef3daa4a32

  • SSDEEP

    6144:Ie92FDutOc6duxKLo8TNLLepQZnNh/b6DTlT1CGRcuOiG5MFoCDCHA:sFDutOc6duxKLoeNWpQZnNh/b6PCGhDK

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot6192832133:AAF7C5Hu2cAny_oozlOAGw_7DWfvYVumEbE/sendMessage?chat_id=2021395706

Targets

    • Target

      Statement of account.exe

    • Size

      302KB

    • MD5

      d92663659acec15e0167ee7500634e59

    • SHA1

      965657d95f52be3a91f7f784503ec287dace934c

    • SHA256

      77dab247203f103e2c7e5139d3d67cc41c2d375bdfb56b9fa902c53a4079a489

    • SHA512

      a7aeb3dcdb1818b48c54668d98d29c1167d47e3a679141402c9ea83aa3bcb186e841cf046cee29bb7513a50b82852e616f6010985e53c25990a750ef3daa4a32

    • SSDEEP

      6144:Ie92FDutOc6duxKLo8TNLLepQZnNh/b6DTlT1CGRcuOiG5MFoCDCHA:sFDutOc6duxKLoeNWpQZnNh/b6PCGhDK

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Disables Task Manager via registry modification

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks