Extracted

• • Target

    SecuriteInfo.com.Win32.CrypterX-gen.17091.2614.exe

  • Size

    553KB

  • MD5

    b0f79857a999521f20975297421e41af

  • SHA1

    66cd2849f7e3dba7476283ae313d2738c32a2e9a

  • SHA256

    356108c722dbfed7782c279d388601706606ef10915929bc0c0732aa9b4e9cea

  • SHA512

    8df4f82c62336cb68933c51d114c59ba0eacf425c71a87c9efe6c1073f4172225830ec71fa2ab81da6e61ad2c032b79cc98b925605024147d54e62ff7aadd8fc

  • SSDEEP

    12288:fu7kvDoQ1DgXu7eIN0oNv04cdIkYAyw1yD1MDQ/HxfGi+kdJ:fuoZDgXuaVGvx+KAbERMDQ/+kdJ

  Score

  10^/10

  snakekeyloggercollectioncredential_accessdiscoveryexecutionkeyloggerspywarestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2