Extracted

• • Target

    cc5673129fc136b3470b07c114bac777daa92fa71a19277f8a2bdcdc99cc92da.exe

  • Size

    715KB

  • MD5

    07a0a5e8a40142d008967397e6262127

  • SHA1

    3b82f1e8dfb20ce349cf78a5e2b150c27516700d

  • SHA256

    cc5673129fc136b3470b07c114bac777daa92fa71a19277f8a2bdcdc99cc92da

  • SHA512

    dd4a92f7cba7043a64df227cd1474706d675b365ff3623505a1299d66d83449fbfee4f8b2e654a4b6052f127b14a61f30d7072ba4119f0f58c968539f03005e8

  • SSDEEP

    12288:2CMR7e1amGg9n2LJEM7KtwMP/hgo69K/Hk0tE/Howy9EXX+5LkR:4ev2LGtwMB6EHc/HowFOY

  Score

  10^/10

  snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2