Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN

  • Size

    1.1MB

  • Sample

    240916-z22ahszeqe

  • MD5

    d19e57cc9fadabb7d0b4d5f29afaab80

  • SHA1

    f0678c2796dbf40a30fcc4e9d2455641bd83866d

  • SHA256

    bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994a

  • SHA512

    3f91e041a19d0316296244e58f04108cca4357e3b28785425fa24b3b9d5ce3b2ab26c2445c20b9719d9acd7920481c2a19597897fd6a69894f5cac58526b8c7a

  • SSDEEP

    24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8a+gLAAB8CeF:sTvC/MTQYxsWR7a+gLAAte

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7505197168:AAH44rUOfgM2A0VfpI637HSQjCH00DQZX48/sendMessage?chat_id=875935923

Targets

    • Target

      bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994aN

    • Size

      1.1MB

    • MD5

      d19e57cc9fadabb7d0b4d5f29afaab80

    • SHA1

      f0678c2796dbf40a30fcc4e9d2455641bd83866d

    • SHA256

      bb64f5d78d45a7994988a5aea5c5fd06aa9be2106d38be875e3e7041d58a994a

    • SHA512

      3f91e041a19d0316296244e58f04108cca4357e3b28785425fa24b3b9d5ce3b2ab26c2445c20b9719d9acd7920481c2a19597897fd6a69894f5cac58526b8c7a

    • SSDEEP

      24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8a+gLAAB8CeF:sTvC/MTQYxsWR7a+gLAAte

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks