snakekeylogger | b5ee09fd0f97bdcfc8367cf753f25020733bee7536a181b15d04c9fd51603aab

General

Target

b5ee09fd0f97bdcfc8367cf753f25020733bee7536a181b15d04c9fd51603aab
Size

543KB
Sample

250210-xzqpwssral
MD5

27e7f1ac798d71ca11155601c951de61
SHA1

5f471642fb2cfcd3fabc54f8f5427bcc9af065ec
SHA256

b5ee09fd0f97bdcfc8367cf753f25020733bee7536a181b15d04c9fd51603aab
SHA512

dc6a11088398f5419af87e6abc62b5a34a27a8dcd4b5197842aa64dfc0fc9e8676faeb6e96a300690caafe24bfb94a6ce45f1ceac87ceac1252f28382048a6a5
SSDEEP

12288:eoH0E1jWUNZPXEuZ0L2grgitDYTxr3lcCwc:JUEZ4uZw2Kgit4xDlcCwc

Score

10^/10

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7810622048:AAGlXVtU9EeAX6sumC63y05EJISEAmugavs/sendMessage?chat_id=986310232

Targets

- Target
  
  Shipping Documents 55000056.exe
- Size
  
  646KB
- MD5
  
  99bcea5fed5508faa536dbd5e5793205
- SHA1
  
  2f8b5d9544a407f04f6395d4deefdabe668e1973
- SHA256
  
  7b68c48b511ccce45f8a2f7b9c7c58aaf41323ad7a654b430be3ac9cbc3aa66b
- SHA512
  
  45bb84f368d637390c41b2ff726e234aa07cc024e270d2ea86674d291964c3a042f1aa5b3afcf284430195ee986530937e5b02d62b704ad8b14fcd58adaab491
- SSDEEP
  
  12288:U6+wIZT75oaovT2lPK7J52w6UzWx2DJ5Z+207hDF1lvmNEHe28lx9o+no:/+wIZT7g2BKq2DJ5ZeDrlvmmHK
Score

10^/10

snakekeylogger discovery execution keylogger stealer collection spyware
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2