Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    65670000009876.exe

  • Size

    531KB

  • Sample

    230412-rwn41ach37

  • MD5

    fd0e4c74cd2cde1d6b13ec40602af84f

  • SHA1

    46ed02d73b9370d61bfe0f8797d1402a38121b90

  • SHA256

    48834270a70765c001a06f747884bc5289db6859b56609d0a7f2d1fd30cbb18e

  • SHA512

    74e351216d6d7d88ac57734ec180c693e7212747a7984a607e9f26d2251c053ace4d6aae2a386b377c3ba55acd59dff1e04bba168a15f66d3ca6af11753897d1

  • SSDEEP

    12288:VS2iNXkDu93BEvu/4gLWFylJku//aGLH:VS19D34uE47kq/aGL

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      65670000009876.exe

    • Size

      531KB

    • MD5

      fd0e4c74cd2cde1d6b13ec40602af84f

    • SHA1

      46ed02d73b9370d61bfe0f8797d1402a38121b90

    • SHA256

      48834270a70765c001a06f747884bc5289db6859b56609d0a7f2d1fd30cbb18e

    • SHA512

      74e351216d6d7d88ac57734ec180c693e7212747a7984a607e9f26d2251c053ace4d6aae2a386b377c3ba55acd59dff1e04bba168a15f66d3ca6af11753897d1

    • SSDEEP

      12288:VS2iNXkDu93BEvu/4gLWFylJku//aGLH:VS19D34uE47kq/aGL

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks