snakekeylogger | a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

NewOrder.vbs

windows7-x64

8

NewOrder.vbs

windows10-2004-x64

Sharing

General

Target

NewOrder.vbs
Size

201KB
Sample

250327-mpxqcasqs7
MD5

8341669f2343d4278582609720bfa160
SHA1

0f5b6a4a92d09c84dee81b5adfb2fd06d0164d87
SHA256

a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e
SHA512

1fe7092e7237d7c35b56e4f0ebe6ac4f491b7e994154d0534425dd53a5f3817cb320234eae20e72e14600ae3b1f6481279c63756e1fe74af441411a343e4c3c2
SSDEEP

3072:hLURz9FVOOUU/wW4MoQB3zAyfHf91BIHLK/AFpVi8qgZ3Dxy4XXQNdDadKzM8KiH:hLyEyfHf7BIHL68qY3NHTkh

Score

10^/10

snakekeylogger collection discovery execution keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

NewOrder.vbs

Resource

win7-20240729-en

discovery execution

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

NewOrder.vbs

Resource

win10v2004-20250314-en

snakekeylogger collection discovery execution keylogger stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
50.31.176.103
Port:
21
Username:
[email protected]
Password:
HW=f09RQ-BL1

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://50.31.176.103/
Port:
21
Username:
[email protected]
Password:
HW=f09RQ-BL1

Targets

- Target
  
  NewOrder.vbs
- Size
  
  201KB
- MD5
  
  8341669f2343d4278582609720bfa160
- SHA1
  
  0f5b6a4a92d09c84dee81b5adfb2fd06d0164d87
- SHA256
  
  a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e
- SHA512
  
  1fe7092e7237d7c35b56e4f0ebe6ac4f491b7e994154d0534425dd53a5f3817cb320234eae20e72e14600ae3b1f6481279c63756e1fe74af441411a343e4c3c2
- SSDEEP
  
  3072:hLURz9FVOOUU/wW4MoQB3zAyfHf91BIHLK/AFpVi8qgZ3Dxy4XXQNdDadKzM8KiH:hLyEyfHf7BIHL68qY3NHTkh
Score

10^/10

discovery execution snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

© 2018-2025

Terms | Privacy