Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    mkhg_Zvfw.hta

  • Size

    47KB

  • Sample

    230922-qwhrjsgc7t

  • MD5

    1021b9b4d037fc4076b1e9ab096b2865

  • SHA1

    fe99b870362e9c2494ff5ff871030f9e7c697975

  • SHA256

    0677bfc48f0007ebc9595793109fd6b7d096c800aa8dfcd1a2736f57896e0b8e

  • SHA512

    224ad1edec31f48ebecb4fe54defd7a91f13621de568f1321b3ef92ced2e251fd5506c6d3243fdb4354a55da72bb6bb137fa1611d03995a24d7aca1a70fb470c

  • SSDEEP

    768:s+xarxSyLCcHOJvVxZFGrnath42PZHpkIV0T3ytMQOtW4vrjz9kuxY:jmXHkVxZFKnm22PZHGIV0T3ytM443z94

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6316392918:AAHcjKTVDupG6SMH3LkXAeVBgHKlqsAcmRU/sendMessage?chat_id=6445748530

Targets

    • Target

      mkhg_Zvfw.hta

    • Size

      47KB

    • MD5

      1021b9b4d037fc4076b1e9ab096b2865

    • SHA1

      fe99b870362e9c2494ff5ff871030f9e7c697975

    • SHA256

      0677bfc48f0007ebc9595793109fd6b7d096c800aa8dfcd1a2736f57896e0b8e

    • SHA512

      224ad1edec31f48ebecb4fe54defd7a91f13621de568f1321b3ef92ced2e251fd5506c6d3243fdb4354a55da72bb6bb137fa1611d03995a24d7aca1a70fb470c

    • SSDEEP

      768:s+xarxSyLCcHOJvVxZFGrnath42PZHpkIV0T3ytMQOtW4vrjz9kuxY:jmXHkVxZFKnm22PZHGIV0T3ytM443z94

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks