Extracted

• • Target

    Xcipfrrs.exe

  • Size

    340KB

  • MD5

    be386c47c42d11ab2b0ee2e820297608

  • SHA1

    3a2720f80b8394f0ce859d1dd5566b681252ea84

  • SHA256

    32a00fc9b61a3ca12be1aa91388fbd5c37b19650b01a11d0e5521097b3de3e11

  • SHA512

    b7e401045970b7349c8e113cb53c64171e54e34c526a2b3ef8344156f6bd5fc40479d6c1f4281e5a82dc7eeab143a257c6958cc13da25979acd4cd7e4be19486

  • SSDEEP

    6144:QvpJo0XE/ZLUsQqVChyUWmSvoPsasomPFpyit2mHKW2cwOkxStaC8dNH1:ko/qqoU8zsu6stR

  Score

  10^/10

  discoverysnakekeyloggercollectionkeyloggerpersistencestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2