Extracted

• • Target

    b9dc19311922881ab92fc3cf26fbeb9fb632e9452bf7a4149ba95a94cc9ac82b

  • Size

    545KB

  • MD5

    e654c3432e16ceff3292ca7bc774b197

  • SHA1

    75455e647f7fe814219987daa14a34ff01a69530

  • SHA256

    b9dc19311922881ab92fc3cf26fbeb9fb632e9452bf7a4149ba95a94cc9ac82b

  • SHA512

    f81dcf58828fcb1f9ee338af5498d09f593faba363199224a4d3d07f1d107e6bd46d1c6d36965fdb8a7ada4c8b57e958b8c3d95d3eb8035efc8a51d2f19ec814

  • SSDEEP

    12288:vJxgzlIAboZMqQfBJfpeIhO2nGX5cJ9XfOwO/JPaRtCG:hxgZIOskfBJNc2tOBDG

  Score

  10^/10

  snakekeyloggerdiscoveryexecutionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2