Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    4dec296b7065addf7c26cc23b6dc3b58c606c48bb58d0583af8ee031627b6591

  • Size

    251KB

  • Sample

    230306-djdkvaad64

  • MD5

    d27acd5a54e38e537ff1f3b3f44aa412

  • SHA1

    d1ef4583d60eeb82f7c65f5e685ac59e5a72b799

  • SHA256

    4dec296b7065addf7c26cc23b6dc3b58c606c48bb58d0583af8ee031627b6591

  • SHA512

    13a8a68a262b98a80e44221d698ff66f2fea7ffbccc93cdeaaf595d3373eea5e5f7fde3eb172bbfbbe8d124961aa3d84355bf4dc07d466643308b8e7e7d68ce6

  • SSDEEP

    3072:XfY/TU9fE9PEtuWbcShR2O1LqH2Z6Rz3VCrsvUq/cCEY1Degk15kB+Mou4/8LDjI:PYa6mtR272S3Vd/ciCg9igLYQhgEKOIh

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6112875567:AAELAi1dztc_XKpDFEg1a1IG01250o2gxXs/sendMessage?chat_id=5687933537

Targets

    • Target

      4dec296b7065addf7c26cc23b6dc3b58c606c48bb58d0583af8ee031627b6591

    • Size

      251KB

    • MD5

      d27acd5a54e38e537ff1f3b3f44aa412

    • SHA1

      d1ef4583d60eeb82f7c65f5e685ac59e5a72b799

    • SHA256

      4dec296b7065addf7c26cc23b6dc3b58c606c48bb58d0583af8ee031627b6591

    • SHA512

      13a8a68a262b98a80e44221d698ff66f2fea7ffbccc93cdeaaf595d3373eea5e5f7fde3eb172bbfbbe8d124961aa3d84355bf4dc07d466643308b8e7e7d68ce6

    • SSDEEP

      3072:XfY/TU9fE9PEtuWbcShR2O1LqH2Z6Rz3VCrsvUq/cCEY1Degk15kB+Mou4/8LDjI:PYa6mtR272S3Vd/ciCg9igLYQhgEKOIh

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks