Extracted

• • Target

    Business_License_and_order_confirmation.exe

  • Size

    674KB

  • MD5

    9df7034c98b3290a35186546ca8c0028

  • SHA1

    8439a19f41bc2327615bc4bfe941d35fd7fc5fe7

  • SHA256

    fc2bdbad12bfe9fc0121328bab79347f90e2b45454f87fb8814162ab81040200

  • SHA512

    c43c042de886e5669661c505b85a7fa06f29d2551962f131627a4a727d952b0bcb0d66667b62d27e51263e2fb8dbc7facf968eef373d536b7015b6dc458f6e39

  • SSDEEP

    12288:MSBhH7RDsH9lRhr4LEATyUkYq8AP/ABsV7N5:/v76UjTy189s7N

  Score

  10^/10

  snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2