Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Factura 0001-00255454.exe

  • Size

    878KB

  • Sample

    250127-tkmg5swngv

  • MD5

    b0da7f11cfb48da510ec5922d699f247

  • SHA1

    ee9f821827824a7bbc7fd2094ebe351979e6719a

  • SHA256

    8de7eff64589f33b2016f67de83c73ce0ceadf0ce5f79c8e5fe91c9611887a1e

  • SHA512

    4b993474396b8b49b9c05eef840a3afc804c73d6910c975d0cc7f41e96b33c0d1d8e357fbce940de62af81f2279668fa459c0c7321c16a66a5030f48d90a3a7d

  • SSDEEP

    12288:Md0NvpiWtvMJRr5UYDOXjETJpoHIIqycK7kIzh+BUs/Oz2BLIXXDMwiJcG6wOV6D:u0l4jX5FDOzEAoY+B

Malware Config

Extracted

Family

snakekeylogger

Credentials

  • Protocol:
    smtp
  • Host:
    ssl0.ovh.net
  • Port:
    587
  • Username:
    segreteria@tecnolegnosas.com
  • Password:
    sj4Ub78kk
  • Email To:
    saleseuropower2@yandex.com

Targets

    • Target

      Factura 0001-00255454.exe

    • Size

      878KB

    • MD5

      b0da7f11cfb48da510ec5922d699f247

    • SHA1

      ee9f821827824a7bbc7fd2094ebe351979e6719a

    • SHA256

      8de7eff64589f33b2016f67de83c73ce0ceadf0ce5f79c8e5fe91c9611887a1e

    • SHA512

      4b993474396b8b49b9c05eef840a3afc804c73d6910c975d0cc7f41e96b33c0d1d8e357fbce940de62af81f2279668fa459c0c7321c16a66a5030f48d90a3a7d

    • SSDEEP

      12288:Md0NvpiWtvMJRr5UYDOXjETJpoHIIqycK7kIzh+BUs/Oz2BLIXXDMwiJcG6wOV6D:u0l4jX5FDOzEAoY+B

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

    • Snake Keylogger payload

    • Snakekeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.