Extracted

• • Target

    NEAS.7995a7b70fd579b2d7562444301504e7fb8834fda0666b52386592d8e5ec13e4.exe

  • Size

    1.2MB

  • MD5

    a3340c23b9134ddf2e7522e25936899c

  • SHA1

    5e12c6ebd3c9c075de080056353070017e68cacb

  • SHA256

    7995a7b70fd579b2d7562444301504e7fb8834fda0666b52386592d8e5ec13e4

  • SHA512

    a829f3a3c8210b922dc23940ce7f54e78f8a009635b6d8e7b4fba22d58809632fa36e764304642ca69035cc7f0d5b76266cc920c6777c38697e1d5064bcd6167

  • SSDEEP

    12288:1PwdV/Ul5tP+EFx5wtI25qGDP/5lNKOLlCjpIdy1bY13Kj25PyYcZYXgDPW3dEd0:imlDWEFxIdP/5TH260CG25PZXbid11A

  Score

  10^/10

  snakekeyloggercollectionkeyloggerpersistencespywarestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2