Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    New Order POH12-FA2306133.doc

  • Size

    31KB

  • Sample

    230505-n7fp8aab94

  • MD5

    bd2d365b0b710589dc5b3b91ac134c12

  • SHA1

    89080ada673d15549f7ba409adcac011b7a088bf

  • SHA256

    8085e0c9ee59ac43c57ad7c3c2b85419d6ed714fc25e41ce63e35ae48538f532

  • SHA512

    b2286cdda78e52852e93699df609bf1afa43295c7ccd07d37c63a1b0221310104406f49984917860a1061c22cf6fb522852d9fefe878709da975fc3898984cb5

  • SSDEEP

    768:/Fx0XaIsnPRIa4fwJMIywRl9Qo/B1X67OePLeD3QoLJeB:/f0Xvx3EMIywRleo/+7XeD3veB

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    cp5ua.hyperhost.ua
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    7213575aceACE@#$

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      New Order POH12-FA2306133.doc

    • Size

      31KB

    • MD5

      bd2d365b0b710589dc5b3b91ac134c12

    • SHA1

      89080ada673d15549f7ba409adcac011b7a088bf

    • SHA256

      8085e0c9ee59ac43c57ad7c3c2b85419d6ed714fc25e41ce63e35ae48538f532

    • SHA512

      b2286cdda78e52852e93699df609bf1afa43295c7ccd07d37c63a1b0221310104406f49984917860a1061c22cf6fb522852d9fefe878709da975fc3898984cb5

    • SSDEEP

      768:/Fx0XaIsnPRIa4fwJMIywRl9Qo/B1X67OePLeD3QoLJeB:/f0Xvx3EMIywRleo/+7XeD3veB

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks