Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Nº 64494.pif.exe

  • Size

    1.4MB

  • Sample

    230508-w2lchscb39

  • MD5

    b80d0cbf82ce5e7e3ed00a0e671872bd

  • SHA1

    c4bf9168ee8f5894d543d429dd5c5df0a3984bd6

  • SHA256

    d59e0227f0df4944cfa157554ef86a131e2b5d9a1d3983780e0022b98f1d42f4

  • SHA512

    e7459de3d39ae540615f163b6908cba8dcd1daf3981e70682a8a32ec4db83abae1b49be2095ab03379693523fbf2f0ae83ad79c4fde4050bb3fedb8a9dbc2681

  • SSDEEP

    24576:DTbBv5rUDwcywHlqk0DfO4AJaFDKvMrBW4ey2Tygt90e+hoxk08:dB1cL09rOYovMr8Maygt+H08

Malware Config

Extracted

Family

snakekeylogger

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.rampelloelectricidad.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    raulruben55

Targets

    • Target

      Nº 64494.pif.exe

    • Size

      1.4MB

    • MD5

      b80d0cbf82ce5e7e3ed00a0e671872bd

    • SHA1

      c4bf9168ee8f5894d543d429dd5c5df0a3984bd6

    • SHA256

      d59e0227f0df4944cfa157554ef86a131e2b5d9a1d3983780e0022b98f1d42f4

    • SHA512

      e7459de3d39ae540615f163b6908cba8dcd1daf3981e70682a8a32ec4db83abae1b49be2095ab03379693523fbf2f0ae83ad79c4fde4050bb3fedb8a9dbc2681

    • SSDEEP

      24576:DTbBv5rUDwcywHlqk0DfO4AJaFDKvMrBW4ey2Tygt90e+hoxk08:dB1cL09rOYovMr8Maygt+H08

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks