Extracted

• • Target

    ODEME DEKONTU 00030494900059595060609000.exe

  • Size

    828KB

  • MD5

    d8826cf09a9b40b56e353d40d4b1e024

  • SHA1

    ed328b5e815a91c795adbf122b8b79710c2ae2b8

  • SHA256

    9c41ef44a3b1645d2c561f68b044777d534cd1a8508db648fb788ebb79d1b2f9

  • SHA512

    0e4d5e405a83877debc4bcde13d86d017cb1005e56c4dc69fceefb4830e21b7aa15420d2448883982655f6387207a924daeebed4b817d48b18d21bedd15e963b

  • SSDEEP

    12288:DdUMXe5y/t1uoGlT/zX3KsEFpBq+f3vTOQdpuL5fxpB00FYtmS3eRg:DVSKl8I3viQU5fxpB00FYeR

  Score

  10^/10

  snakekeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2