Extracted

• • Target

    65468778fc4c2ce8fda7c7aa63581d69ec6faadff01e44e3250cbc6d9f88d91d.exe

  • Size

    666KB

  • MD5

    1f45c1fced38ecafedfa57f8b38ded3b

  • SHA1

    cfa710be1782529f27bf5fbf2b757d2a825d186e

  • SHA256

    65468778fc4c2ce8fda7c7aa63581d69ec6faadff01e44e3250cbc6d9f88d91d

  • SHA512

    2cfc797ddcbaafc7e0bf77ccf3859dedb69d18ecf07453a33d364cd827105eb0722efb9d1e5e4b993c19d12f5312c28aabf4a639e7af720eb061617411e9cf6a

  • SSDEEP

    12288:w8U8229KRr/9+FUsMQtM1OoUUd3DSXBpHXVsoW0:w8U8d9o/9mUsMtO83DeBpFso

  Score

  10^/10

  snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2