snakekeylogger | e891f78a266e0c72e86cc6164dbd199f98e6c3f1a830b0185c1e5118092c461a | Triage

Submit
Reports

Overview

overview

Static

static

1

e891f78a26...1a.exe

windows10-2004-x64

Sharing

General

Target

e891f78a266e0c72e86cc6164dbd199f98e6c3f1a830b0185c1e5118092c461a
Size

1013KB
Sample

250414-rp4acaynt2
MD5

200d9fd5a05344273a986a42a29d6043
SHA1

463c1215a8473d4c135af40a5c583544a32a3f17
SHA256

e891f78a266e0c72e86cc6164dbd199f98e6c3f1a830b0185c1e5118092c461a
SHA512

16102a69aaf1289360f7551badf7b334a654481fb318d17b8d8c14004d325d92a052f70068ddc33fa005299fdbe89523cd67b09216d3a6a410736aa9b777db64
SSDEEP

24576:jG8VwDHu09EfvV973tch85j+nJuhUwY+s6iA4GuaJjt8+:qyjvV97dcyjIJuJ26Id+

Score

10^/10

snakekeylogger collection discovery execution keylogger stealer

Static task

static1

Behavioral task

behavioral1

Sample

e891f78a266e0c72e86cc6164dbd199f98e6c3f1a830b0185c1e5118092c461a.exe

Resource

win10v2004-20250314-en

snakekeylogger collection discovery execution keylogger stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot7861423597:AAGuw8X75R5fZU_ucABf62dLoKBIKdyyem0/sendMessage?chat_id=7451270736

Targets

- Target
  
  e891f78a266e0c72e86cc6164dbd199f98e6c3f1a830b0185c1e5118092c461a
- Size
  
  1013KB
- MD5
  
  200d9fd5a05344273a986a42a29d6043
- SHA1
  
  463c1215a8473d4c135af40a5c583544a32a3f17
- SHA256
  
  e891f78a266e0c72e86cc6164dbd199f98e6c3f1a830b0185c1e5118092c461a
- SHA512
  
  16102a69aaf1289360f7551badf7b334a654481fb318d17b8d8c14004d325d92a052f70068ddc33fa005299fdbe89523cd67b09216d3a6a410736aa9b777db64
- SSDEEP
  
  24576:jG8VwDHu09EfvV973tch85j+nJuhUwY+s6iA4GuaJjt8+:qyjvV97dcyjIJuJ26Id+
Score

10^/10

snakekeylogger collection discovery execution keylogger stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Accesses Microsoft Outlook profiles
  collection
- Blocklisted process makes network request
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

snakekeyloggercollectiondiscoveryexecutionkeyloggerstealer

© 2018-2025

Terms | Privacy