snakekeylogger | dd0dcef03fa77274bed40ecca1b327cb345bb8f053df0b383693d1c4dd39c9fd | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

New Order.vbs

windows7-x64

8

New Order.vbs

windows10-2004-x64

Sharing

General

Target

27032025_1634_27032025_NewOrder.r00
Size

78KB
Sample

250327-vfberavxc1
MD5

308dbb266dfd4825c3b82e398492d188
SHA1

3965b1a202c376892ccbe6a926d2de27368165ce
SHA256

dd0dcef03fa77274bed40ecca1b327cb345bb8f053df0b383693d1c4dd39c9fd
SHA512

d591eb58eff52fd35d4140b68d91b674124356d822e4ee59a8784b40fe6ee614a0c9b4f9521787c836e6b6c86d12bce0c0861b41a477ca4cf59ee8963afe830c
SSDEEP

1536:woZKsYCt1fjcKi83PEFW3EK3kr3Da+HKw/vQb2giP:wbsttdjcKjPEY/30Da+HKivQb9k

Score

10^/10

snakekeylogger collection discovery execution keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

New Order.vbs

Resource

win7-20240729-en

discovery execution

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

New Order.vbs

Resource

win10v2004-20250314-en

snakekeylogger collection discovery execution keylogger stealer

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
50.31.176.103
Port:
21
Username:
[email protected]
Password:
HW=f09RQ-BL1

Extracted

Family

snakekeylogger

Credentials

Protocol: ftp
Host:
ftp://50.31.176.103/
Port:
21
Username:
[email protected]
Password:
HW=f09RQ-BL1

Targets

- Target
  
  New Order.vbs
- Size
  
  201KB
- MD5
  
  8341669f2343d4278582609720bfa160
- SHA1
  
  0f5b6a4a92d09c84dee81b5adfb2fd06d0164d87
- SHA256
  
  a134c1c356f903af382d4578414a3b4d4d025b65e9754d4f7a67ba47ce2b554e
- SHA512
  
  1fe7092e7237d7c35b56e4f0ebe6ac4f491b7e994154d0534425dd53a5f3817cb320234eae20e72e14600ae3b1f6481279c63756e1fe74af441411a343e4c3c2
- SSDEEP
  
  3072:hLURz9FVOOUU/wW4MoQB3zAyfHf91BIHLK/AFpVi8qgZ3Dxy4XXQNdDadKzM8KiH:hLyEyfHf7BIHL68qY3NHTkh
Score

10^/10

discovery execution snakekeylogger collection keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

© 2018-2025

Terms | Privacy