{ "id": "f71ac439-28a3-459c-94b5-ed03d46866a5", "created_at": "2026-04-06T00:21:31.333306Z", "updated_at": "2026-04-10T03:36:47.896423Z", "deleted_at": null, "sha1_hash": "1bb2fa13088aa8dcb3fc50c4167f4e9eb5b12afd", "title": "Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 27261605, "plain_text": "Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough\r\nBy Lena aka LambdaMamba\r\nPublished: 2023-10-05 · Archived: 2026-04-05 23:18:03 UTC\r\nLena aka LambdaMamba\r\nI am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations,\r\ngaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy\r\nassembling things as well as disassembling things! In my spare time, I do CTFs, threat hunting, and write about\r\nthem. I am fascinated by snakes, which includes the Snake Malware!\r\nCheck out:\r\nMy website\r\nMy LinkedIn profile\r\nEmails are a common communication method but also a major vector for cyber threats. They can deliver\r\neverything from scams and data theft to malware. Unfortunately, one bad email can lead to financial loss,\r\nreputational damage, and even escalate into broader system compromise.\r\nTo bolster email security, it’s essential to understand the types of attacks you’re up against. This blog post dives\r\ninto a real-world example featuring a Snake Keylogger attachment.\r\nLet’s dive right into it!\r\nOverview of the Snake Keylogger \r\nThe Snake Keylogger is an infostealer malware written in the .NET programming language. It was discovered in\r\nNovember 2020 and is also known as the 404 Keylogger, 404KeyLogger, and Snake. \r\nThe Snake Keylogger steals various information from the victim, such as saved credentials, clipboard data,\r\nkeystrokes, and screenshots of the victim’s screen. \r\nThis malware also checks and collects the system information, which includes the system’s hostname, username,\r\nIP address, geolocation, date and time, and more. It then exfiltrates the collected information through protocols\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 1 of 30\n\nsuch as FTP, SMTP, and Telegram.\r\nMore information on the Snake Keylogger and its trends can be found in ANY.RUN’s Malware Trends.\r\nSample Collection and Preparation for Analysis\r\nLet’s first look at the sample collection method and environment setup.\r\nIn ANY.RUN’s Public Submissions, the following filters were applied,\r\nOBJECT \u003e “Email Files”\r\nVERDICT \u003e “Malicious”\r\n“32b4f238-3516-b261-c3ae-0c570d22ee18.eml” was selected for analysis. This file had the following attributes:\r\nSHA1 hash of “1D17DD1688A903CBE423D8DE58F8A7AB7ECE1EA5”\r\nMIME type of “message/rfc822”\r\nRFC 822 mail, UTF-8 Unicode text, with very long lines, with CRLF line terminators\r\nThe Filters used to find Malicious Email Files in ANY.RUN’s Public submissions\r\nThe sample can be downloaded with “Download”, and submitted for analysis in ANY.RUN sandbox using\r\n“Submit to Analyze” button:\r\nThe overview of “32b4f238-3516-b261-c3ae-0c570d22ee18.eml” in Static Discovering\r\nA new ANY.RUN task was created for this sample with the following setup:\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 2 of 30\n\nCreation of a New Task, and the setup used for the analysis\r\nThe ANY.RUN task for this file can be found here.\r\nAnalyzing the Email\r\nGoal of this step: In this section, we’ll explore the email body, header, and social engineering tactics.\r\nOpening “32b4f238-3516-b261-c3ae-0c570d22ee18.eml” on Windows 11’s Microsoft Outlook showed the email\r\ncontents:\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 3 of 30\n\nOpening the email file on Windows 11’s Microsoft Outlook\r\nThe email body shows the sender attempting to convince the recipient to download and open the email attachment\r\nby referencing the “client”. The email signature makes references to a Customs Clearing Agency in Bolivia and\r\nuses the BMW Group’s Logo, suggesting that the sender was attempting to exploit familiarity. Familiarity\r\nExploitation is a social engineering tactic where one pretends to be an entity that is familiar to the target. \r\nThe email headers can reveal key information and are useful when analyzing the legitimacy of the email. It is\r\ncrucial to analyze the SPF and DKIM information when attempting to determine an email’s legitimacy.\r\nSPF (Sender Policy Framework) is a DNS record that is used to verify the legitimacy of email senders. The\r\nemail recipient’s server checks the SPF record of the sender’s domain to verify they are an approved\r\nsender.\r\nDKIM (DomainKeys Identified Mail) is an email authentication method used to verify the authenticity and\r\nintegrity of the email. A digital signature is added to the email’s header, which is generated by the sender’s\r\nserver with a private key. This is verified by the recipient’s server with a public key published in the\r\nsender’s DNS records.\r\nThe email header reveals that the SPF failed, where the sender IP was IP 45[.]227.X.34. The header mentions\r\n“[GREEN].com[.]bo does not designate IP 45[.]227.X.34 as permitted sender”. Also, there was no DKIM and\r\nDMARC, and the message was not signed:\r\nA section of the sample email’s header shows the SPF, DKIM, and DMARC information\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 4 of 30\n\nThe IP address 45[.]227.X.34 is associated with these domains (hidden with purple and blue markers for\r\nconfidentiality reasons). According to VirusTotal, it appears to be a security company in Argentina:\r\nLooking up the IP address 45[.]227.X.34 on VirusTotal\r\nThe email header shows the authenticated sender, which was “cobranzas@[PURPLE].com.ar”.\r\nA section of the sample email’s header shows the authenticated sender\r\nThe email header also revealed the User-Agent, which was “Roundcube Webmail/1.4.2”. Roundcube Webmail is a\r\nfree and open-source webmail software.\r\nA section of the sample email’s header shows Date, Time, From, To, Subject, User-Agent, etc.\r\nWhat did we learn from the header?\r\nIt indicates that this email was most likely not legitimate. The contents of the email and the sender’s email address\r\nsuggest that it was attempting to impersonate a company in Bolivia that provides brokering and insurance\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 5 of 30\n\nservices. Additionally, it utilized social engineering tactics to convince the recipient to download and open the\r\nattachment.\r\nAnalyzing the Behaviour of the Attachment \r\nGoal of this step: In this section, we’ll explore the behavioral analysis of the email’s attachment on Windows 11\r\nand examine the involved files.\r\nA file called “pago 4094.r09” is attached to this email, with the following attributes:\r\nSHA1 hash of “CF13DF73EFF74B9CEB6D837C1D7CC9D01FE918DB”\r\nMIME type of “application/x-rar”\r\nRAR archive data, v5\r\nThe information for pago 4094.r09 in Static discovering\r\nDownloading and opening “pago 4094.r09” in WinRAR shows the existence of an Application called “pago\r\n4094.exe”:\r\nOpening “pago 4094.r09” in WinRAR\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 6 of 30\n\nExtracting “pago 4094.exe” onto the Desktop reveals that it uses the Yahoo! Buzz Icon. Yahoo! Buzz is a\r\ncommunity-based news article website.\r\nThe Yahoo! Buzz icon\r\nThe properties tell us that the original filename was “mKkHQ.exe”, and had the copyright “QBuzz 2011”:\r\nThe Properties for “pago 4094.exe”\r\nThis executable “pago 4094.exe” has the following attributes:\r\nSHA1 hash of “A663C9ECF8F488D6E07B892165AE0A3712B0E91F”\r\nMIME type of “application/x-dosexec”\r\nPE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 7 of 30\n\nStatic Discovering shows the details of the executable “pago 4094.exe”.\r\nSaving credentials in browsers\r\nBefore executing “pago 4094.exe”, various fake credentials were purposefully saved onto Browsers like Chrome\r\nand Microsoft Edge. This was done to observe the malware’s credential-stealing behavior.\r\nSaving fake Facebook credentials on Chrome, under “chrome://settings/passwords”\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 8 of 30\n\nSaving fake Instagram credentials on Microsoft Edge, under “edge://settings/passwords”\r\nOnce the fake credentials were saved onto the Browsers, “pago 4094.exe” was executed by double-clicking “pago\r\n4094.exe” on the Desktop.\r\nGetting into the execution flow\r\nAround 30 seconds after executing “pago 4094.exe”, the executable file disappears from the Desktop. A child\r\nprocess “C:\\Users\\admin\\Desktop\\pago 4094.exe” is created, and an executable file\r\n“C:\\Users\\admin\\AppData\\Local\\Temp\\tmpG484.tmp” is dropped. The dropping of the .tmp file is done to secure\r\npersistence on the victim machine.\r\nThe executable disappears from the Desktop, and “tmpG484.tmp” is dropped in\r\n“C:\\Users\\admin\\AppData\\Local\\Temp\\”\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 9 of 30\n\nNow, the Snake Keylogger is running silently in the background. From the Windows User’s perspective, nothing\r\nalarming happens.\r\nAnalyzing the Processes\r\nGoal of this section: We’ll explore the analysis of processes associated with the Snake Keylogger.\r\nProcess 1112 and its child process 3868, are key processes involved in the malicious activities:\r\n The “pago 4094.exe” processes\r\nDetailed look at the process 1112\r\nProcess 1112 was detected as 100/100 Malicious under the Threat Verdict. It can be observed querying registries,\r\nperforming system information discoveries, checking LSA protection, dropping another application, etc. This\r\nprocess ran for a total of 48.9 seconds.\r\nOverview of Process 1112, “pago 4094.exe”\r\nRegistry changes were seen for Process 1112, and the following Write Operations were conducted:\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 10 of 30\n\nThe Registry changes for Process 1112\r\nProcess 1112 also created a new file with the MIME type of “text/plain”, called “pago 4094.exe.log” under\r\n“C:\\Users\\admin\\AppData\\Local\\Microsoft\\CLR_v4.0_32\\UsageLogs\\”:\r\nThe creation of “pago 4094.exe.log”\r\nThe contents of “pago 4094.exe.log” contained references to System.Windows.Forms, System.Drawing, etc. which\r\nare associated with .NET API. It also contained PublicKeyToken values:\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 11 of 30\n\nThe contents of “pago 4094.exe.log”\r\nDetailed look at the process 3868\r\nProcess 3868 plays a significant role in this malware. This process started at 287.76 seconds and ran all the way\r\nuntil the end. It steals credentials from browsers and files and sends these stolen credentials over SMTP: \r\nOverview of Process 3868, “pago 4094.exe”\r\nThe indicators for this process included “Known Threat”, “Connects to the network”, “Executable file was\r\ndropped”, “Actions similar to stealing personal data”, “Behavior similar to spam”, “The process has the malware\r\nconfig”, and “The module has a process dump.”\r\nThe indicators in Process 3868\r\nIt was detected as Snake Keylogger, where the destination IP was 158.101.44[.]242, with a destination port of 80.\r\nThis IP is associated with checkip.dyndns[.]com, and we will explore it in detail in the next section, Analyzing the\r\nNetwork Information.\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 12 of 30\n\nThe detection of SNAKEKEYLOGGER\r\nProcess 3868 drops “C:\\Users\\admin\\AppData\\Local\\Temp\\tmpG484.tmp”. This has an MD5 hash of\r\n1A0F4CC0513F1B56FEF01C815410C6EA, which is the same as the MD5 hash for the original executable file\r\n“pago 4094.exe”. This is done to achieve persistence on the victim machine.\r\nA .tmp file is dropped\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 13 of 30\n\nDetails of the dropped “C:\\Users\\admin\\AppData\\Local\\Temp\\tmpG484.tmp” \r\nAnalyzing the Network Activities\r\nSection goal: In this section, we’ll explore the network activities associated with the Snake Keylogger and\r\nexamine the packet capture (PCAP) file in detail.\r\nProcess 3868, “pago 4094.exe”, attempted to retrieve external IP addresses with checkip.dyndns[.]org as shown in\r\nthe Threats Tab:\r\nThe Threats Tab shows the retrieval of the external IP address\r\nIt was seen connecting to 158.101.44[.]242 on port 80. This IP was associated with checkip.dyn… according to\r\nVirusTotal: \r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 14 of 30\n\nThe Threat details show the source and destination IP and port.\r\nThe IP 158.101.44[.]242 was associated with checkip.dyn according to VirusTotal\r\nThe host checkip.dyndns[.]org is associated with IP checking. According to Dyn, “CheckIP will return the remote\r\nsocket’s IP address. If a client sends a Client-IP or a X-Forwarded-For HTTP header, CheckIP will return that\r\nvalue instead.”\r\nThe packet capture (PCAP) file was downloaded for further analysis. The following filter was applied on the\r\nPCAP in Wireshark. \r\nip.dst == 158.101.44.242 || ip.src == 158.101.44.242\r\nThis is done to check for packets where the destination or source IP was 158.101.44[.]242.\r\nPackets where the Destination or Source IP is 158.101.44[.]242\r\nFollowing the TCP stream revealed that it checked the current IP with checkip[.]dyndns.org, which was\r\n45.130.136[.]51:\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 15 of 30\n\nFollowing the TCP steam shows the current IP address\r\nA Network trojan was detected for process 3868, “pago 4094.exe” under the Threats tab:\r\nThe Detected Network Trojan\r\nA Snake Keylogger Exil via SMTP was observed, where the destination IP was 208.91.199[.]255 and the\r\ndestination port was 587. SMTP on port 587 is a secure and authenticated method for sending emails from email\r\nclients to email servers. It typically uses STARTTLS or TLS/SSL for encryption.\r\nThe Threat Details of the Network Trojan\r\nApplying the smtp filter on the PCAP in Wireshark showed the data exfiltration taking place over SMTP:\r\nData exfiltration over SMTP \r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 16 of 30\n\nFollowing the TCP stream revealed the SMTP Authentication taking place. The email address used to send the\r\nstolen information was likely hacked by malicious actors. According to OSINT, the hacked email address\r\nbelonged to a physical security company in South America.\r\nThe same is confirmed in the PCAP:\r\nFollowing the TCP stream shows the authentication taking place\r\nA section of the email header\r\nThe email has an attachment called “Passwords.txt”, which contains the stolen information. The contents of\r\n“Passwords.txt” are in Base64 inside the PCAP as shown:\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 17 of 30\n\nThe contents of “Passwords.txt” in Base64\r\nThe email has another attachment called “User.txt”, which also contains the stolen information. The contents of\r\n“User.txt” are also in Base64 inside the PCAP:\r\nThe contents of “User.txt” in Base64\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 18 of 30\n\nDecoding the contents of “Passwords.txt\r\nDecoding the contents of “Passwords.txt” from Base64 on CyberChef reveals that it contained the computer name\r\n(“DESKTOP-BFTPUHP”), the date and time (8/4/2023 4:43:13 PM), IP address (45.130.136[.]51). It also\r\ncontained the fake credentials that were saved onto Google Chrome and Microsoft Edge:\r\nDecoding “Passwords.txt” from Base64 on CyberChef\r\nRemoving the null bytes for improved readability\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 19 of 30\n\nDecoding the contents of “User.txt” from Base64 on CyberChef resulted in something similar to “Passwords.txt”,\r\nthough it did not contain null bytes, and was in a more human-readable format:\r\nDecoding “User.txt” from Base64 on CyberChef\r\nMITRE ATT\u0026CK\r\nSection goal: In this section, we’ll explore the MITRE ATT\u0026CK for the Snake Keylogger and examine the\r\ninvolved Tactics and Techniques.\r\nThe MITRE ATT\u0026CK Matrix for this Snake Keylogger includes five Tactics, namely Initial Access, Execution,\r\nCredential Access, Discovery, and Command and Control (C \u0026 C).\r\nMITRE ATT\u0026CK Matrix\r\nMITRE ATT\u0026CK: Initial Access \r\nFirstly, the phishing email “32b4f238-3516-b261-c3ae-0c570d22ee18.eml” entices the recipient to download and\r\nopen the attachment via social engineering (as seen in Analyzing the Email). The email has a RAR archive\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 20 of 30\n\nattachment “pago 4094.r09”, which contains an executable file “pago 4094.exe”.\r\nThe technique here is T1566 (Phishing), and the subtechnique is T1566.001 (Phishing: Spearphishing\r\nAttachment).\r\nMITRE ATT\u0026CK: Execution \r\nThe “pago 4094.exe”, namely process 1112, is manually executed by the user. In this case, “pago 4094.exe” was\r\nexecuted by double-clicking the Desktop icon.\r\nThe technique here is T1204 (User Execution), and the subtechnique is T1204.002 (User Execution: Malicious\r\nFile).\r\nTechniques details of User Execution\r\nMITRE ATT\u0026CK: Credential Access \r\nProcess 3868 attempted to steal credentials from web browsers and files. The technique here is T1555 (Credentials\r\nfrom Password stores), and the subtechnique is T1555.003 (Credentials from Password Stores: Credentials from\r\nWeb Browsers).\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 21 of 30\n\nTechniques details of Credentials from Password Stores\r\nIt is also technique T1552 (Unsecured Credentials), and the subtechnique is T1552.001 (Unsecured Credentials:\r\nCredentials In Files).\r\nTechniques details of Unsecured Credentials\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 22 of 30\n\nProcess 3868 attempted “FILE_READ_ATTRIBUTES” access on files associated with browsers under the\r\n“C:\\Users\\admin\\AppData\\Local\\…” and  “C:\\Users\\admin\\AppData\\Roaming\\…” directory.\r\nProcess 3868 attempted to steal credentials from Chromium, Opera, Epic Privacy Browser, QQ\r\nBrowser, etc.\r\nBefore executing “pago 4094.exe”, fake credentials were saved in Google Chrome and Microsoft Edge.\r\nThus, process 3868 attempted the following accesses on files related to Google Chrome, which were in\r\n“C:\\USERS\\ADMIN\\APPDATA\\LOCAL\\GOOGLE\\CHROME\\USER DATA\\DEFAULT\\LOGIN DATA” and\r\n“C:\\Users\\admin\\AppData\\Local\\Google\\Chrome\\User Data\\Local State”:\r\nFILE_READ_ATTRIBUTES\r\nREAD_CONTROL\r\nSYNCHRONIZE\r\nFILE_READ_DATA\r\nFILE_READ_EA\r\nFILE_READ_ATTRIBUTES\r\nThis process also attempted these accesses on files related to Microsoft Edge, which were in\r\n“C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data” and\r\n“C:\\Users\\admin\\AppData\\Local\\Microsoft\\Edge\\User Data\\Local State”:\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 23 of 30\n\nData being stolen from Google Chrome\r\nData being stolen from Microsoft Edge\r\nMITRE ATT\u0026CK: Discovery\r\nProcesses 1112 and 3868 attempts to query the registry. The registry contains a lot of crucial system information,\r\nsuch as OS, configuration, software, and security. The technique here is T1012 (Query Registry).\r\nThe processes attempted the following:\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 24 of 30\n\nTechniques details of Query Registry\r\nTechniques details of Query Registry\r\nProcess 1112 and 3868 attempts to discover system information, and tries to gather crucial system information.\r\nThe technique here is T1082 (System Information Discovery).\r\nThere are overlaps between this and the previous subtechnique T1012:\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 25 of 30\n\nTechniques details of System Information Discovery\r\nProcess 3868 attempts to discover installed software, and it attempted to access various locations associated with\r\nBrowsers. The technique here is T1518 (Software Discovery).\r\nTechniques details of Software Discovery\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 26 of 30\n\nProcess 3868 attempts to discover the system network configuration. It checked for external IP, where the\r\ndestination IP was 158.101.44[.]242 and the destination port was 80. The technique here is T1016 (System\r\nNetwork Configuration Discovery).\r\nTechniques details of System Network Configuration Discovery\r\nMITRE ATT\u0026CK: C\u0026C\r\nProcess 3868 then communicates with the application layer protocol. Due to the existing background traffic,\r\ncommunication using the application layer protocols may fly under the radar. It was seen connecting to the SMTP\r\nport 587, where the destination IP was 208.91.199[.]225.\r\nThe technique here is T1071 (Application Layer Protocol), and the subtechnique is T1071.003 (Application Layer\r\nProtocol: Mail Protocols).\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 27 of 30\n\nTechniques details of Application Layer Protocol\r\nFinally, the malware configuration for the Snake Keylogger can be seen in ANY.RUN’s Malware Configuration:\r\nThe Malware Configuration for the Snake Keylogger\r\nConclusion\r\nThis analysis showed how a single malicious email can lead to multiple security risks, including financial and\r\nreputational damage. We used various techniques like email and attachment analysis, process and network\r\nanalysis, and applied the MITRE ATT\u0026CK.\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 28 of 30\n\nThe focus was on an email with a Snake Keylogger attachment. It collects system info, establishes persistence,\r\nsteals credentials, and exfiltrates data.\r\nGiven that emails remain a top threat vector often exploiting human error, staying vigilant against email threats is\r\ncrucial.\r\nAbout ANY.RUN\r\nANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR\r\nteams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.  \r\nRequest a demo today and enjoy 14 days of free access to our Enterprise plan.   \r\nRequest demo →  \r\nAppendix 1: IOCs\r\nAnalyzed files:\r\nName 32b4f238-3516-b261-c3ae-0c570d22ee18.eml\r\nMD5  60D00C17D3EA15910893EEF868DE7A65\r\nSHA1 1D17DD1688A903CBE423D8DE58F8A7AB7ECE1EA5\r\nSHA256 D13A7EAAF07C924159EA7BB8F297DAB1D8DA0F9AF46E82E24052D6A9BF5E4087\r\nSSDEEP 12288:vZ1Tzm0D2acQLqgVIjejueFyhaCV2JKKS7hoxSSqkljhEi9lV7j:z7K8FuuzCV2JKkxPOQ3\r\nName pago 4094.exe\r\nMD5  1A0F4CC0513F1B56FEF01C815410C6EA\r\nSHA1 A663C9ECF8F488D6E07B892165AE0A3712B0E91F\r\nSHA256 D483D48C15F797C92C89D2EAFCC9FC7CBE0C02CABE1D9130BB9069E8C897C94C\r\nSSDEEP 12288:PXPZDbCo/k+n70P4uR87fD0iBTJj1ijFDTwA:hOz+IPz6/PF1ihDTwA\r\nConnections:\r\n158.101.44[.]242・ checkip.dyndns[.]org\r\n208.91.199[.]255・us2.smtp.mailhostbox[.]com\r\nAppendix 2: MITRE MATRIX\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 29 of 30\n\nTactics Techniques Description\r\nTA0001: Initial\r\nAccess\r\nT1566: Phishing\r\nSend phishing messages to gain access to\r\nvictim systems.\r\nTA0002: Execution T1204: User Execution\r\nRely upon specific actions by a user in order to\r\ngain execution.\r\nTA0006: Credential\r\nAccess\r\nT1555: Credentials from\r\nPassword Stores\r\nSearch for common password storage locations\r\nto obtain user credentials.\r\nT1552: Unsecured Credentials\r\nSearch compromised systems to find and obtain\r\ninsecurely stored credentials.\r\nTA0007: Discovery\r\nT1012: Query Registry\r\nInteract with the Windows Registry to gather\r\ninformation.\r\nT1082: System Information\r\nDiscovery\r\nGet detailed information about the operating\r\nsystem and hardware.\r\nT1518: Software Discovery\r\nGet a listing of software and software versions\r\nthat are installed.\r\nT1016: System Network\r\nConfiguration Discovery\r\nLook for details about the network\r\nconfiguration and settings.\r\nTA0011: Command\r\nand Control\r\nT1071: Application Layer\r\nProtocol\r\nCommunicate using OSI application layer\r\nprotocols to avoid detection.\r\nlena-aka-lambdamamba\r\nLena aka LambdaMamba\r\nChief Research Officer\r\nI am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations,\r\ngaming, writing, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy\r\nassembling things as well as disassembling things! In my spare time, I do CTFs, threat hunting, and write about\r\nthem. I am fascinated by snakes, which includes the Snake Malware! Check out:\r\nMy website\r\nMy LinkedIn profile\r\nSource: https://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nhttps://any.run/cybersecurity-blog/analyzing-snake-keylogger/\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://any.run/cybersecurity-blog/analyzing-snake-keylogger/" ], "report_names": [ "analyzing-snake-keylogger" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434891, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1bb2fa13088aa8dcb3fc50c4167f4e9eb5b12afd.pdf", "text": "https://archive.orkl.eu/1bb2fa13088aa8dcb3fc50c4167f4e9eb5b12afd.txt", "img": "https://archive.orkl.eu/1bb2fa13088aa8dcb3fc50c4167f4e9eb5b12afd.jpg" } }