Extracted

• • Target

    seethemagicalpersoninmylifewithherlifegoodforme.hta

  • Size

    130KB

  • MD5

    42ad4924ceb9f99d1a69af070b9952b9

  • SHA1

    00b53af05220b7e3216a9ef64805feddcc82c729

  • SHA256

    a83ac36314853f773e848c63c40aafe74029cca2ab364fee41b15486e267e6c9

  • SHA512

    688796c131f863fa8dbe67e66167d18997561c61205062bc50e5d14b2f3e1b45614a6d04d0f0eb83029151577ae7494509f69eb038eb79fe50986d1e74cea1b2

  • SSDEEP

    96:Eam77w29ir9w29i3ADFXhAfVVXoPw29i+w29ii2Jw29ihc7T:Ea278r983YXhAteP8+8i2J8hiT

  Score

  10^/10

  snakekeyloggercollectiondefense_evasiondiscoveryexecutionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Evasion via Device Credential Deployment

    defense_evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2