Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    rPROFORMAINVOICE-PO_ATS_1036pdf.exe

  • Size

    521KB

  • Sample

    240925-pkfx5syble

  • MD5

    d5a6193b01c8b4f4a1d70de986f2581a

  • SHA1

    83146988eefd85c295e43336021a82bdae3e03fc

  • SHA256

    fb32ee963d4a3a9ee628b7953fd14fb98fe1257946ce05c6e922005d05cdac74

  • SHA512

    12b11063db76a6319a74b0f3debab63d051b48c85ca1a3b27bc8c8a34c8091960341fbf40d6f3db1bdc6cead878bda0123bd3d40ef164b6ad5a5c70704f78872

  • SSDEEP

    12288:p/CqjqYBxuBdwmEZ9ictORFP+yfpDHI3Rtj6IFKap5AW:p6pUxuB2mE7irPhBs3jrNTB

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7205528810:AAHpQmp8pXDD3HdZBbwmUH_nIHswhyx25IQ/sendMessage?chat_id=5483672364

Targets

    • Target

      rPROFORMAINVOICE-PO_ATS_1036pdf.exe

    • Size

      521KB

    • MD5

      d5a6193b01c8b4f4a1d70de986f2581a

    • SHA1

      83146988eefd85c295e43336021a82bdae3e03fc

    • SHA256

      fb32ee963d4a3a9ee628b7953fd14fb98fe1257946ce05c6e922005d05cdac74

    • SHA512

      12b11063db76a6319a74b0f3debab63d051b48c85ca1a3b27bc8c8a34c8091960341fbf40d6f3db1bdc6cead878bda0123bd3d40ef164b6ad5a5c70704f78872

    • SSDEEP

      12288:p/CqjqYBxuBdwmEZ9ictORFP+yfpDHI3Rtj6IFKap5AW:p6pUxuB2mE7irPhBs3jrNTB

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.