Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b20add8b1ca2d673dcce96474e03d83b90c36f1fcf5f12e40c1b3ee18ee93f7a.exe

  • Size

    793KB

  • Sample

    240806-cnwrjswerr

  • MD5

    9e8fd9c35d3b5d71def38d4b8fddd0ab

  • SHA1

    4e5a0a7301f5ebce4f36b403802165d58bddf755

  • SHA256

    b20add8b1ca2d673dcce96474e03d83b90c36f1fcf5f12e40c1b3ee18ee93f7a

  • SHA512

    068b79801d6e02f6cdfcfe65df364b8d81a0cc061284be72036be91a41e2994bbcdb2f73f100c69fd0945136d0b562ea7a33d55826a6cc0cf2a2a4f3de341c91

  • SSDEEP

    12288:CNta0s5YgbYSc6GLl19xnDmkSHmJEb+5cZe/e73XsZd:pL3cnHxnKkTJEVqa3XsZd

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6321055561:AAFBfch7gvJP9JYWkjm5t-zoz8g0dXedX9U/sendMessage?chat_id=7212496360

Targets

    • Target

      b20add8b1ca2d673dcce96474e03d83b90c36f1fcf5f12e40c1b3ee18ee93f7a.exe

    • Size

      793KB

    • MD5

      9e8fd9c35d3b5d71def38d4b8fddd0ab

    • SHA1

      4e5a0a7301f5ebce4f36b403802165d58bddf755

    • SHA256

      b20add8b1ca2d673dcce96474e03d83b90c36f1fcf5f12e40c1b3ee18ee93f7a

    • SHA512

      068b79801d6e02f6cdfcfe65df364b8d81a0cc061284be72036be91a41e2994bbcdb2f73f100c69fd0945136d0b562ea7a33d55826a6cc0cf2a2a4f3de341c91

    • SSDEEP

      12288:CNta0s5YgbYSc6GLl19xnDmkSHmJEb+5cZe/e73XsZd:pL3cnHxnKkTJEVqa3XsZd

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks