Extracted

• • Target

    9HLED_file.exe

  • Size

    3.6MB

  • MD5

    34aad6fec4fa9e1387d268bb6f24f758

  • SHA1

    959cca79e07e7a9589f05ac46d1bf9563d38de8b

  • SHA256

    99b74e18133910a21f58428c8fd9615a8dcb6a496bcda6acd20b5621d7951e43

  • SHA512

    85caddccbef84b9cbd6ad7cc100e3183a72ff99cb4485e7426d06f38aed9e163d5e3c072b5d33b6adf44070955e8a71d1843c5bdb3a1bd3fd136b56ecc42c9ea

  • SSDEEP

    49152:TBwDUAR6Qzk7UHlj796h+16eUMTycWaX/Ngvv1VlHIPIV/CdQvJuJ44wPcbErkcT:TKQtQzv9XUMmczWvnlo0KSj5L1Ln9

  Score

  10^/10

  discoveryexecutionsnakekeyloggercollectionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2