Extracted

• • Target

    file.exe

  • Size

    390KB

  • MD5

    66244fb1118f70553439a5afc47529ac

  • SHA1

    68250dcc265970b31d6fed79c008fe0972eec12c

  • SHA256

    8973a01c5fb01195763577375cc5e3b223c5ed680cbd646a0924cbcb37150ebb

  • SHA512

    8cd236ee3ab5ce209264cdbb3d00acc4399489474e47ef6e231d76fdd704a07b4060ca20e46f5e2ea618963dd4cb38fe38c4e91b42e79b7c2bdc68756d3719cb

  • SSDEEP

    6144:cTzoeC71TFqddJYDqR2B19LuduY0XoJt6FW9mVou0art+obeVxJAK/ngEdfbL2:KzDqRkGDqMnXhYJt6zSu0kMOWD3/ge/2

  Score

  10^/10

  snakekeyloggercollectionevasionkeyloggerpersistencestealertrojan

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Looks for VirtualBox Guest Additions in registry

    evasion

  • Looks for VMWare Tools registry key

    evasion

  • Sets service image path in registry

    persistence

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Windows security modification

    evasiontrojan

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2