Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    final INV, PL, BL..exe

  • Size

    223KB

  • Sample

    230505-nksq9shh25

  • MD5

    80b48131a8ee8130588c6e8915905a4a

  • SHA1

    29493397e53171528e9587581b750ac85333c174

  • SHA256

    29a028df9898f4d21557863d584879c54b759de951022a419cb4b2b6b40a87bf

  • SHA512

    d2511b3014689e11ebb18ec18eb1dfd64b86b00d2acc114ab3360b8b575c4d1942883f62b2123b5b737b9f95a822a849616b9f3c7fab4f0e7c0ece75a231ba23

  • SSDEEP

    3072:DA4CFu2f+4KMKXk0Q9gsYDDAJmGIrmMvSh3/BxYrOW5qmHohiFQQbTgjnIPX3XgE:E4sL+GKXk0F+IRXM+/5DohiyQ+yI4

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    mail.rubagas.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ruba3004

Targets

    • Target

      final INV, PL, BL..exe

    • Size

      223KB

    • MD5

      80b48131a8ee8130588c6e8915905a4a

    • SHA1

      29493397e53171528e9587581b750ac85333c174

    • SHA256

      29a028df9898f4d21557863d584879c54b759de951022a419cb4b2b6b40a87bf

    • SHA512

      d2511b3014689e11ebb18ec18eb1dfd64b86b00d2acc114ab3360b8b575c4d1942883f62b2123b5b737b9f95a822a849616b9f3c7fab4f0e7c0ece75a231ba23

    • SSDEEP

      3072:DA4CFu2f+4KMKXk0Q9gsYDDAJmGIrmMvSh3/BxYrOW5qmHohiFQQbTgjnIPX3XgE:E4sL+GKXk0F+IRXM+/5DohiyQ+yI4

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks