Extracted

Extracted

• • Target

    Invoice.exe

  • Size

    557KB

  • MD5

    7ccea594742ef8616d4329ae4b13d65f

  • SHA1

    2cc66eb1781ca1389e5b961f6904ba819770cf62

  • SHA256

    3235c0cc1e4c983e8e11ad3f9fe6af66cf5cda2d4f4730f84cd290d877136b6c

  • SHA512

    59eef8e1cbedf34393b262f3d84e61a67e552db3ce8d95c492d5559449694d2d6324882c84b844d496b2ae9a7a81dd42df81b6a0a4ff74a8c02e964a680d4a3d

  • SSDEEP

    12288:dVTlZnKl3tPs75yJfVtHNrx8ACBUtjKxisU9zJDs1K4YJHg6gi/:nZZKlCYJdBN98AC65izUrow9H+i

  Score

  10^/10

  snakekeyloggercollectionexecutionkeyloggerspywarestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing many email and collaboration clients. Observed in information stealers

  • Detects executables with potential process hoocking

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2