Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5

  • Size

    271KB

  • Sample

    240725-lv7bas1hqp

  • MD5

    06423b5a0a4d4f444ea943e2bdaa5461

  • SHA1

    3f839dd6da834bc4df8faf8bac49dd7f34b5cd50

  • SHA256

    3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5

  • SHA512

    ce60a82182ab2cc122b50a34131d0c376ebf1c14286658603199a4eefb6153bae18201400a5b29c4dbead906be9aeb028155a1d1af531c1fb81cf79e00f5d759

  • SSDEEP

    1536:PfINtK3IadjNM9h/IaOlaStsiuvErox1Rti/KCEBFjgnC2EoKyr/sK4tF6ROX1Lu:PIyuvuM2EM0l3hWAzmp4h2GWjyHW

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5

    • Size

      271KB

    • MD5

      06423b5a0a4d4f444ea943e2bdaa5461

    • SHA1

      3f839dd6da834bc4df8faf8bac49dd7f34b5cd50

    • SHA256

      3071ac42b0c7407d7982843858e9df6a697f4b83dd4281394fef5e79bfea2bb5

    • SHA512

      ce60a82182ab2cc122b50a34131d0c376ebf1c14286658603199a4eefb6153bae18201400a5b29c4dbead906be9aeb028155a1d1af531c1fb81cf79e00f5d759

    • SSDEEP

      1536:PfINtK3IadjNM9h/IaOlaStsiuvErox1Rti/KCEBFjgnC2EoKyr/sK4tF6ROX1Lu:PIyuvuM2EM0l3hWAzmp4h2GWjyHW

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks