Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Swift__92be67ab-e027-4955-b6fc-64bd720b2ba09.exe

  • Size

    970KB

  • Sample

    230313-lerwnsbf61

  • MD5

    e6e43c4101b9a667f07d52c572dba013

  • SHA1

    b9eee5c53a605bfe594f79b3ec5a4336ecce5e0b

  • SHA256

    ac6d957336c039f000748fa1491549e9416005c224eea1cf089aab0d91b10844

  • SHA512

    91840f8fc44ad7970adb639afa64d47a15d2e8b4f28d39a059e820c2b02c1ae40faa48b3a69c959db291adfba4dfaa5c8e6848ad59d1c99d3011853c2b53dc5f

  • SSDEEP

    12288:IuvSwl1K8tUyZmMRxEy0gAyjVv4dnUZRbNAenKoD4z/Eu7pDjsnIxB/jDEi+orah:MfypR5AqYBFnpv/jQVzXEnt

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6284958682:AAFqhG3qHKFjAq48ezySmL8vRDzlw2Jx9s8/sendMessage?chat_id=5636036075

Targets

    • Target

      Swift__92be67ab-e027-4955-b6fc-64bd720b2ba09.exe

    • Size

      970KB

    • MD5

      e6e43c4101b9a667f07d52c572dba013

    • SHA1

      b9eee5c53a605bfe594f79b3ec5a4336ecce5e0b

    • SHA256

      ac6d957336c039f000748fa1491549e9416005c224eea1cf089aab0d91b10844

    • SHA512

      91840f8fc44ad7970adb639afa64d47a15d2e8b4f28d39a059e820c2b02c1ae40faa48b3a69c959db291adfba4dfaa5c8e6848ad59d1c99d3011853c2b53dc5f

    • SSDEEP

      12288:IuvSwl1K8tUyZmMRxEy0gAyjVv4dnUZRbNAenKoD4z/Eu7pDjsnIxB/jDEi+orah:MfypR5AqYBFnpv/jQVzXEnt

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks