Extracted

• • Target

    IEnetbookupdation.hta

  • Size

    115KB

  • MD5

    3f20ef35e2f63a4e4f0719740bf9deeb

  • SHA1

    6e804455dcf41545ebb533636558481e0da69b8a

  • SHA256

    4fde814d5f352592a5b42c856b41548f1517ee82a1c042b882622ace5a6b06f6

  • SHA512

    b7f959280d4107fbc3f4e2a646f542e2bb55bcde0840848e81c14e5dbf7fd142af337d85eb045d3c7b8686fa568f9f4df6e76a22378d3b6e653199fb5db9cc65

  • SSDEEP

    96:Ea+M7alGgrialG5prPFX7/wZf83kJcAlGo3lGZN5Dr93lGaAT:Ea+QpgWpfRKLeHndaBT

  Score

  10^/10

  snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Evasion via Device Credential Deployment

    defense_evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2