Extracted

• • Target

    na.hta

  • Size

    150KB

  • MD5

    25a0a6e379daa9cb5c68307fbf0857ea

  • SHA1

    4c672a33a46b32584f00868c4b98d10187a91c3c

  • SHA256

    bdae25f01110b01f248c854d1ee715aa77d00342a7db6fe5cc06e085c07dfbef

  • SHA512

    fb0bb7232df274cc07e30ec425e891e40cc105469e2aaf0f0d3843199c605f910a74690195a08ed1b269725ff13a48b927585d0f98a655743b0484ea8f652ee7

  • SSDEEP

    48:7oa+ahWjz7eWLB2L64UKB3Rns4wKB3RnFWhWYYeecSr99DdokZGStBw04v4U1QYx:Ea+Cw7W3FNYfqffZUgAVT

  Score

  10^/10

  snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Evasion via Device Credential Deployment

    defense_evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2