Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    45c81edde318f3b548503f30c011a909.bin

  • Size

    673KB

  • Sample

    230330-bpyrvsae67

  • MD5

    fdb7059b5094c214bcb9e17ea55479c8

  • SHA1

    6f727288c07e018f5c14d2e4bd0fcddf32a132e1

  • SHA256

    1cec0f2d92dc95d7b956e4637d7c454a517d756522e8d77f96b77389aa20391f

  • SHA512

    9204fdb9f46e13d1ab41c6278a9bade1b86b8d70afc15d15a4292ece63b18f30c65902c2dcb9de335add6ae04bfd5ef7c639c20e28efe47ccadd13fccedcbcfe

  • SSDEEP

    12288:ELxwSoPTMoPlqs6ak29qWAHpeQcA7U/M9fCgfn6yfQIB9jBkfizr/ImFUkRl:EVwSqrPXkrNcAAgVfjf/DjeuzRl

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    valleycountysar.org
  • Port:
    26
  • Username:
    [email protected]
  • Password:
    PI#6XIKeoUkC

Targets

    • Target

      J9qkUXQDXrk8skj.exe

    • Size

      751KB

    • MD5

      c890149afd84b9f0530aa25d5b37dad4

    • SHA1

      f254a40375022f25055698f9385022d939f0de0f

    • SHA256

      f5fa7b886b1a16ab02b7edf918ece0bc04daca0a9e933b3bf63330f69d8db6c2

    • SHA512

      c9d75048510d6b1a9a13f06fd6956ae4977929980d531e329f3b426d00a1f9168c28e1cfb87f035232580e7f2de3e5c74cc44a9ddb30c2fac06032b5f3890eeb

    • SSDEEP

      12288:S8KdJVZz5dG8jKOT11WDD7GLBcJQmmrbJIp7ThRVtUcXFdg2LB:S3VZ9AsZ14HKmQzoRIc1R

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks