Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    95e4dd6cc5a341f4440a113e0a832175aa2f5baafd9c7483255a18088e1c2764.exe

  • Size

    826KB

  • Sample

    240409-b7erpsaf52

  • MD5

    dc59e080bc0be8cee52ec9e79ccc7e82

  • SHA1

    22d8e9aab959c584acc896bfeed170ffa672f1cb

  • SHA256

    95e4dd6cc5a341f4440a113e0a832175aa2f5baafd9c7483255a18088e1c2764

  • SHA512

    7b836760ab575de13b95878a075ff8998e57433d0a7f5b2efb2bc4e3d7c4459e06af9cd71ca19f36913afde5c2b265667658542d892a61ea7f5b17f19d2484e0

  • SSDEEP

    12288:6rLz6X60UHRoVNDWX4gpBRkZf0E5Vav8V7DcRIqlrTwimh0ndFJkTtlXkR:r67HRi4XLy90E5IUFgIqlrtnzQPC

Malware Config

Extracted

Family

snakekeylogger

C2

https://scratchdreams.tk

Targets

    • Target

      95e4dd6cc5a341f4440a113e0a832175aa2f5baafd9c7483255a18088e1c2764.exe

    • Size

      826KB

    • MD5

      dc59e080bc0be8cee52ec9e79ccc7e82

    • SHA1

      22d8e9aab959c584acc896bfeed170ffa672f1cb

    • SHA256

      95e4dd6cc5a341f4440a113e0a832175aa2f5baafd9c7483255a18088e1c2764

    • SHA512

      7b836760ab575de13b95878a075ff8998e57433d0a7f5b2efb2bc4e3d7c4459e06af9cd71ca19f36913afde5c2b265667658542d892a61ea7f5b17f19d2484e0

    • SSDEEP

      12288:6rLz6X60UHRoVNDWX4gpBRkZf0E5Vav8V7DcRIqlrTwimh0ndFJkTtlXkR:r67HRi4XLy90E5IUFgIqlrtnzQPC

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables packed with SmartAssembly

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables with potential process hoocking

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks