Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Profoma Invoice.exe

  • Size

    301KB

  • Sample

    230208-w5g49sdd7y

  • MD5

    07a7565fcf8ba9b08b5e83e94489e4b1

  • SHA1

    8cee31beae3baabf4c1e71a114a3b2623c798ca8

  • SHA256

    7b5951f5bf8b74c9e9f377c59ad305a671735c9f7c6cf9f3def654c5989619ec

  • SHA512

    3f2e0a04c995d7e0a209fda8ce908b83415244259195ee7fde2acdce9c8a7cb37509503a61e2f46cc6c40db44144b79461960dc670c9d60b474e63f00eea3e9b

  • SSDEEP

    6144:4e9Z6dubKLoGWi3xCeLy4Im5Q1FoFVjOMix6S2:f6dubKLoxeGnRklhTS

Malware Config

Extracted

Family

snakekeylogger

Credentials
C2

https://api.telegram.org/bot6192832133:AAF7C5Hu2cAny_oozlOAGw_7DWfvYVumEbE/sendMessage?chat_id=2021395706

Targets

    • Target

      Profoma Invoice.exe

    • Size

      301KB

    • MD5

      07a7565fcf8ba9b08b5e83e94489e4b1

    • SHA1

      8cee31beae3baabf4c1e71a114a3b2623c798ca8

    • SHA256

      7b5951f5bf8b74c9e9f377c59ad305a671735c9f7c6cf9f3def654c5989619ec

    • SHA512

      3f2e0a04c995d7e0a209fda8ce908b83415244259195ee7fde2acdce9c8a7cb37509503a61e2f46cc6c40db44144b79461960dc670c9d60b474e63f00eea3e9b

    • SSDEEP

      6144:4e9Z6dubKLoGWi3xCeLy4Im5Q1FoFVjOMix6S2:f6dubKLoxeGnRklhTS

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Disables Task Manager via registry modification

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks