snakekeylogger | 1a3fd2d2b2c9d14ff022b6a5e62e2aaa3848fb9b5714bac5ed136c3d82d6f58d | Triage

Submit
Reports

Overview

overview

Static

static

RFQ K28765.exe

windows7-x64

RFQ K28765.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

RFQ K28765.exe
Size

845KB
Sample

220911-hd31rsbbb2
MD5

e849c525b770b4765fbbb36d5ad95030
SHA1

c6a6a20b612bd6a1213dac6ae07dc650df5d72e9
SHA256

1a3fd2d2b2c9d14ff022b6a5e62e2aaa3848fb9b5714bac5ed136c3d82d6f58d
SHA512

6c94931189113d843dd361bac94f3fd9913c051a13ddee0c913300154203c32c4b6239f6749b8d71346f1465f4f7bc0926d4af7535a32898301d8c9671272a1e
SSDEEP

12288:HRNdSxnDFHzp2oFo7yDQBBA7AbVGUy8V4CchNr/:xnS3TgUNQBBjVZar

Score

10^/10

snakekeylogger collection evasion keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

RFQ K28765.exe

Resource

win7-20220812-en

snakekeylogger collection evasion keylogger stealer

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ K28765.exe

Resource

win10v2004-20220812-en

snakekeylogger collection evasion keylogger stealer

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
xCj*aYU6
Email To:
[email protected]

Targets

- Target
  
  RFQ K28765.exe
- Size
  
  845KB
- MD5
  
  e849c525b770b4765fbbb36d5ad95030
- SHA1
  
  c6a6a20b612bd6a1213dac6ae07dc650df5d72e9
- SHA256
  
  1a3fd2d2b2c9d14ff022b6a5e62e2aaa3848fb9b5714bac5ed136c3d82d6f58d
- SHA512
  
  6c94931189113d843dd361bac94f3fd9913c051a13ddee0c913300154203c32c4b6239f6749b8d71346f1465f4f7bc0926d4af7535a32898301d8c9671272a1e
- SSDEEP
  
  12288:HRNdSxnDFHzp2oFo7yDQBBA7AbVGUy8V4CchNr/:xnS3TgUNQBBjVZar
Score

10^/10

snakekeylogger collection evasion keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

snakekeyloggercollectionevasionkeyloggerstealer

behavioral2

snakekeyloggercollectionevasionkeyloggerstealer

© 2018-2025

Terms | Privacy