Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6589987TEL.exe

  • Size

    233KB

  • Sample

    230522-qv8lksgf97

  • MD5

    9d492198c90933eb067ea7bd158d0597

  • SHA1

    56950f6ba640b4edf603c5bc0f0fa7f460c807d5

  • SHA256

    b4b38d7d62a408e89a3c7c0157405cf65862ddb6a1fb23a931311a468d051890

  • SHA512

    1c511a295e2b6313cc7dc81cdc31a6dd9e1b7a379b67207728fdbfbb5afb977bf03ba10f17428a7a646bce95f7f4c971100aaefbabdd8d7ddba31e44ef4e06c8

  • SSDEEP

    6144:JYa68XJgGIPL8bhiG7FYmjIaf76t+EmV8kPgXjd1qN:JYOJgGIj8TYmsaz6t+Eg8bTdE

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot5801425382:AAG5b4PUEaqNDv5uP9ejZGeIHeuzzOD4IHY/sendMessage?chat_id=5812329204

Targets

    • Target

      6589987TEL.exe

    • Size

      233KB

    • MD5

      9d492198c90933eb067ea7bd158d0597

    • SHA1

      56950f6ba640b4edf603c5bc0f0fa7f460c807d5

    • SHA256

      b4b38d7d62a408e89a3c7c0157405cf65862ddb6a1fb23a931311a468d051890

    • SHA512

      1c511a295e2b6313cc7dc81cdc31a6dd9e1b7a379b67207728fdbfbb5afb977bf03ba10f17428a7a646bce95f7f4c971100aaefbabdd8d7ddba31e44ef4e06c8

    • SSDEEP

      6144:JYa68XJgGIPL8bhiG7FYmjIaf76t+EmV8kPgXjd1qN:JYOJgGIj8TYmsaz6t+Eg8bTdE

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks