Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    26092024_0509_25092024_Oficio_Pagamento_Por_Reg.pdf.zip

  • Size

    499KB

  • Sample

    240926-ftmydazamk

  • MD5

    8a25d4c00ade5e0f3e91d655aaa0e1d2

  • SHA1

    2c4eadbc992a7c7e6e2affb1c5799c84bdd7f4c6

  • SHA256

    076cff7f23ef4560af258b930ecc0f43654d86e754314557238a3edb1191f63a

  • SHA512

    f40f241a3d3710afff882fca0372e56973cd14abecc79c6a014742deb5f18a48d6a522858addefb1a96ca6115e291c643d0481aef867bb7db5487555e470a9f4

  • SSDEEP

    12288:e9RypFWssSaIuEk8WAeueuA2ocSKw7+TubKmcUVvliN:CMFFsinWjZuTS5yTupcYdiN

Malware Config

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      Yx3p9h2BuT3fGLE.pif

    • Size

      556KB

    • MD5

      49dd86eee043ea73a894b42b4c6a4f6f

    • SHA1

      69f67588f4dc75fb5fbc691058bc48893db544c3

    • SHA256

      891a20a58690590fbd03bcb8954a327fbb069dc8f3bdba12b2bf29570eabefd7

    • SHA512

      70a956db957917d54a53bdc34410c5c308433d9d05c283522d29a8d02649a898a7d8576515010c22610338a5cb44967494ad191463c0aa6b44df700c99bd290b

    • SSDEEP

      12288:UF5pr/s0/DK2GsSiIKEkgWQeqeuseocKE692O8bQbmkR:AZs+DKdsQfWzNuhKEhI9

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks