Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    DHL-AWB.exe

  • Size

    940KB

  • Sample

    230302-nmfjqacc8z

  • MD5

    eb685b3c297e9bf66dbdf5ce339b0938

  • SHA1

    e68ee19e34b4e050967630bff153eb27ad9bcab2

  • SHA256

    4cfe382fc05866c2087a5d003050a40fb1a1789f8547bd13956e8823d8cf61f8

  • SHA512

    5af08355a05edb7bd155cc8da39eb520f6041a27532cfb36b999b54a3363e29578f5b1b52d2c1b379c1a14d2c6694f00c7c02a205da02303e23d6cdb47a6f393

  • SSDEEP

    12288:LMuRADz1KGRbItu/8mqKgE8MLj3Ymjk97DuHh/UFxvpj5+YI61UBXEuJ2c1LwnIj:gfftg3CEmA7DehEYY9c0uRwn

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5896148323:AAEWgsVYxyCkhTyIZPTwudSGllkEoROCUk8/sendMessage?chat_id=6163418482

Targets

    • Target

      DHL-AWB.exe

    • Size

      940KB

    • MD5

      eb685b3c297e9bf66dbdf5ce339b0938

    • SHA1

      e68ee19e34b4e050967630bff153eb27ad9bcab2

    • SHA256

      4cfe382fc05866c2087a5d003050a40fb1a1789f8547bd13956e8823d8cf61f8

    • SHA512

      5af08355a05edb7bd155cc8da39eb520f6041a27532cfb36b999b54a3363e29578f5b1b52d2c1b379c1a14d2c6694f00c7c02a205da02303e23d6cdb47a6f393

    • SSDEEP

      12288:LMuRADz1KGRbItu/8mqKgE8MLj3Ymjk97DuHh/UFxvpj5+YI61UBXEuJ2c1LwnIj:gfftg3CEmA7DehEYY9c0uRwn

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks