Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    95e4dd6cc5a341f4440a113e0a832175aa2f5baafd9c7483255a18088e1c2764.exe

  • Size

    826KB

  • Sample

    240409-b7erpsaf52

  • MD5

    dc59e080bc0be8cee52ec9e79ccc7e82

  • SHA1

    22d8e9aab959c584acc896bfeed170ffa672f1cb

  • SHA256

    95e4dd6cc5a341f4440a113e0a832175aa2f5baafd9c7483255a18088e1c2764

  • SHA512

    7b836760ab575de13b95878a075ff8998e57433d0a7f5b2efb2bc4e3d7c4459e06af9cd71ca19f36913afde5c2b265667658542d892a61ea7f5b17f19d2484e0

  • SSDEEP

    12288:6rLz6X60UHRoVNDWX4gpBRkZf0E5Vav8V7DcRIqlrTwimh0ndFJkTtlXkR:r67HRi4XLy90E5IUFgIqlrtnzQPC

Malware Config

Extracted

Family

snakekeylogger

C2

https://scratchdreams.tk

Targets

    • Target

      95e4dd6cc5a341f4440a113e0a832175aa2f5baafd9c7483255a18088e1c2764.exe

    • Size

      826KB

    • MD5

      dc59e080bc0be8cee52ec9e79ccc7e82

    • SHA1

      22d8e9aab959c584acc896bfeed170ffa672f1cb

    • SHA256

      95e4dd6cc5a341f4440a113e0a832175aa2f5baafd9c7483255a18088e1c2764

    • SHA512

      7b836760ab575de13b95878a075ff8998e57433d0a7f5b2efb2bc4e3d7c4459e06af9cd71ca19f36913afde5c2b265667658542d892a61ea7f5b17f19d2484e0

    • SSDEEP

      12288:6rLz6X60UHRoVNDWX4gpBRkZf0E5Vav8V7DcRIqlrTwimh0ndFJkTtlXkR:r67HRi4XLy90E5IUFgIqlrtnzQPC

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables with potential process hoocking

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.