Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Cotizacion ##5033900.exe

  • Size

    623KB

  • Sample

    230721-pzg4rafb9v

  • MD5

    e5e34926801d009fd9345c1221cf61d1

  • SHA1

    00dc97afe9b99f0f4c9c6be374ac0a82958028fd

  • SHA256

    fd36434871eb55ee3d9f78ee0fd63f26c915f8d5a7d3848ef6ffddcac75893cc

  • SHA512

    b7c2d2e7194d2a798abdf6e93f6fd1ded8f01261c35cd474c01684f7a10a791dcbd09625b094c2a8ac2f8b458754f1a8e2e52954de07a187425483b88755df91

  • SSDEEP

    12288:2Wc/bUYIsYolnr8+HrF2pJSlghtqle1De7wubknDIlLS6YfiYh:diXrYoxHrF2pLql2IwubDsa

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mtbooks.com.mx
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ^QGUcHQjx3

Targets

    • Target

      Cotizacion ##5033900.exe

    • Size

      623KB

    • MD5

      e5e34926801d009fd9345c1221cf61d1

    • SHA1

      00dc97afe9b99f0f4c9c6be374ac0a82958028fd

    • SHA256

      fd36434871eb55ee3d9f78ee0fd63f26c915f8d5a7d3848ef6ffddcac75893cc

    • SHA512

      b7c2d2e7194d2a798abdf6e93f6fd1ded8f01261c35cd474c01684f7a10a791dcbd09625b094c2a8ac2f8b458754f1a8e2e52954de07a187425483b88755df91

    • SSDEEP

      12288:2Wc/bUYIsYolnr8+HrF2pJSlghtqle1De7wubknDIlLS6YfiYh:diXrYoxHrF2pLql2IwubDsa

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks