Extracted

• • Target

    700f648940b37668c1eab7e0cf8a4783d2941296ee7eb99c01571e39cd9a5758

  • Size

    2.3MB

  • MD5

    82b5627016f292035b2f3446824f4781

  • SHA1

    9ecc6a7a7e2dd886b68a056e4a577ad3b0abacea

  • SHA256

    700f648940b37668c1eab7e0cf8a4783d2941296ee7eb99c01571e39cd9a5758

  • SHA512

    fe2dd7b0f3755b9fc594a0e7e9fabf2dfd95deb22e1010f4054ba4d8227715747bbaa5b21729a3852c8a684a2147b41dd00bffa9fa7e719ce1d20476d370517b

  • SSDEEP

    49152:FUL4JRecbOxT52oEpr1yfRbrL68oj6DGwG:Fa4JRhbGNuGfRbHMj6V

  Score

  10^/10

  discoverypersistencesnakekeyloggercollectionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2