Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    RRQ_00980.exe

  • Size

    280KB

  • Sample

    230314-jkvhmseb79

  • MD5

    83112343ede9fcb19feb0b759b59897e

  • SHA1

    762eb227335de6348b0376deac9e0d332228511b

  • SHA256

    aecdd8b136e292f6a5c419c08e2ea9ebc015ac6d2e7f99c694dccb8d84772b6c

  • SHA512

    9ed560398c1cf6e1b7d2449701726c10fe058da0a5d4594dcece4c0dcd8d4d614c05aae97364233dddf0c09bdc6176edbc6e91e4547a16d8101146624dd3e9c9

  • SSDEEP

    3072:ayamBpp48eTCZZiO1ix7ll/w8mo2CbPJNddNe0dbeNmFIrqvBzAhpNmPIr0n7GYE:ayaq42Ov/wNo2Ky0ngq5zhd

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5252645306:AAGCEUxgRGtto8oZfNWHw7sqdTCF0zNGxX8/sendMessage?chat_id=5590273095

Targets

    • Target

      RRQ_00980.exe

    • Size

      280KB

    • MD5

      83112343ede9fcb19feb0b759b59897e

    • SHA1

      762eb227335de6348b0376deac9e0d332228511b

    • SHA256

      aecdd8b136e292f6a5c419c08e2ea9ebc015ac6d2e7f99c694dccb8d84772b6c

    • SHA512

      9ed560398c1cf6e1b7d2449701726c10fe058da0a5d4594dcece4c0dcd8d4d614c05aae97364233dddf0c09bdc6176edbc6e91e4547a16d8101146624dd3e9c9

    • SSDEEP

      3072:ayamBpp48eTCZZiO1ix7ll/w8mo2CbPJNddNe0dbeNmFIrqvBzAhpNmPIr0n7GYE:ayaq42Ov/wNo2Ky0ngq5zhd

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks