Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Vessel Information.exe

  • Size

    491KB

  • Sample

    240613-ryp43sshld

  • MD5

    074900bf90c8e83bfd5f79479f91ed1f

  • SHA1

    9001cb1924963b0a35db3d78d50faa3cb54bca5b

  • SHA256

    c3f8b456725a6e744d7d59b5456b99c988b8b5565a18bf5f25b36a78bbed060e

  • SHA512

    a9b2a8ae609174edaf49f17664514acd04dbe10f2b75af2d1a5c181e5d6cb126ecac21bc82b06721df53a99502c48e0829e737558423b89db8f0a30e87dd962b

  • SSDEEP

    12288:ttMyF3ltmeOVahfG3+CSQ9vkk93YmSWWsGf:XM6ltmOa+CSQCk93XWsq

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    valleycountysar.org
  • Port:
    26
  • Username:
    [email protected]
  • Password:
    fY,FLoadtsiF
C2

http://103.130.147.85

Targets

    • Target

      Vessel Information.exe

    • Size

      491KB

    • MD5

      074900bf90c8e83bfd5f79479f91ed1f

    • SHA1

      9001cb1924963b0a35db3d78d50faa3cb54bca5b

    • SHA256

      c3f8b456725a6e744d7d59b5456b99c988b8b5565a18bf5f25b36a78bbed060e

    • SHA512

      a9b2a8ae609174edaf49f17664514acd04dbe10f2b75af2d1a5c181e5d6cb126ecac21bc82b06721df53a99502c48e0829e737558423b89db8f0a30e87dd962b

    • SSDEEP

      12288:ttMyF3ltmeOVahfG3+CSQ9vkk93YmSWWsGf:XM6ltmOa+CSQCk93XWsq

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks