Extracted

• • Target

    FATURAS.exe

  • Size

    544KB

  • MD5

    5d77cd7033187dfc736119b570bee5b5

  • SHA1

    78dd8d7621e5bd13369bc0f921ab11ebdc8ba146

  • SHA256

    f20f9cb6076b4f3ad87fa30da557257802b0f5093cffca1cf4c8359105b1a3ed

  • SHA512

    155439b5c187815107770e59294b839895283ef412b86716dddf2f4b5fc26f134f4500e90c1c07933b2154fd3359f1ecbd21720f75e685529acda2c81fb1c2bc

  • SSDEEP

    12288:ciGRHxB1qAJbgg7bjBhZNq/CGiUy3pKIHWzURPdApr9CdRjmYLwfXA+8:cVTXgCJh7q/5ih3IUSExLOAz

  Score

  10^/10

  snakekeyloggerdiscoveryexecutionkeyloggerstealer

  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger

  • Snake Keylogger payload

  • Snakekeylogger family

    snakekeylogger

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2