{
	"id": "65505d3a-fa11-4b43-b466-4a785afb2013",
	"created_at": "2026-04-06T00:11:56.702046Z",
	"updated_at": "2026-04-10T03:22:02.458839Z",
	"deleted_at": null,
	"sha1_hash": "611b53ae15b70e3b007e9dbb51bb8e54cdf45411",
	"title": "Uncovering the “Serpent”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 875874,
	"plain_text": "Uncovering the “Serpent”\r\nPublished: 2023-11-30 · Archived: 2026-04-05 19:49:57 UTC\r\nInformation Stealers are a pervasive threat and are capable of providing threat actors with a rich source of sensitive\r\ndata. \r\nRecently, we came across this tweet that the Serpent Stealer is on sale on the dark web. A .NET based malware, this\r\nhas the ability to not only acquire sensitive information from the most popular online browsers and applications but\r\nalso has the capability to exfiltrate  passwords.  \r\nFigure 1: Tweet about Serpent Stealer\r\nTo stay stealth, the stealer bypasses Windows User Access Control (UAC), debuggers, and virtual machines. It\r\nexfiltrates the browser data and passwords via Web hooks and Discord abuse. \r\nBinary Analysis\r\nSerpent is a .Net based stealer that utilises the .NET runtime. It is a 64-bit portable executable binary.\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 1 of 11\n\nFigure 2: File info (Serpent_Stealer)\r\nThe procedures within the Main() function of the malware binary, employed for data theft, has been systematically\r\npresented below based on their execution sequence.\r\nFigure 3: Main Function\r\nEnvironment checks\r\nThe stealer determines whether it is being run in a controlled environment on its first execution. It does that by\r\nchecking whether the victim’s username-obtained exists in its “Black List Users” file.\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 2 of 11\n\nThe usernames that are blocked are shown in the table below. The stealer will instantly utilise the Sleep and Exit\r\nfunction to end its execution if any of the below usernames are obtained.\r\nFigure 4: Iterating with blacklist username\r\n05h00Gi0 3u2v9m8 43By4 4tgiizsLimS 6O4KyHhJXBiR\r\n7wjlGX7PjlW4 8Nl0ColNQ5bq 8VizSM Abby Amy\r\nAppOnFlySupport ASPNET azure BUiA1hkm BvJChRPnsxn\r\ncM0uEGN4do cMkNdS6 DefaultAccount dOuyo8RV71 DVrzi\r\ne60UW ecVtZ5wE EGG0p Frank fred\r\nG2DbYLDgzz8Y george GjBsjb Guest h7dk1xPr\r\nh86LHD Harry Johnson HEUeRzl hmarc ICQja5iT\r\nIVwoKUF j6SHA37KA j7pNjWM John jude\r\nJulia kEecfMwgj kFu0lQwgX5P KUv3bT4 Lisa\r\nlK3zMR lmVwjj9b Louise Lucas mike\r\nMr.None noK4zG7ZhOf o6jdigq o8yTi52T OgJb6GqgK0O\r\npatex Paul Jones pf5vj PgfV1X PqONjHVwexsS\r\npWOuqdTDQ PxmdUOpVyx QfofoG QmIS5df7u QORxJKNk\r\nqZo9A RDhJ0CNFevzX RGzcBUyrznReg S7Wjuf server\r\nSqgFOf3G Steve test TVM txWas1m2t\r\numyUJ Uox1tzaMO User01 w0fjuOVmCcP5A WDAGUtilityAccount\r\nXMiMmcKziitD xPLyvzr8sgC ykj0egq7fze DdQrgc ryjIJKIrOMs\r\nnZAp7UBVaS1 zOEsT l3cnbB8Ar5b8 xUnUy fNBDSlDTXY\r\nvzY4jmH0Jw02 gu17B UiQcX 21zLucUnfI85 OZFUCOD6\r\n8LnfAai9QdJR 5sIBK rB5BnfuR2 GexwjQdjXG IZZuXj\r\nymONofg dxd8DJ7c JAW4Dz0 GJAm1NxXVm UspG1y1C\r\nequZE3J BXw7q lubi53aN14cU 5Y3y73 9yjCPsEYIMH\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 3 of 11\n\nGGw8NR JcOtj17dZx 05KvAUQKPQ 64F2tKIqO5 7DBgdxu\r\nuHUQIuwoEFU gL50ksOp Of20XqH4VL tHiF2T hbyLdJtcKyN1\r\nkatorres doroth umehunt sal.rosenburg PateX\r\nFigure 5: Evasion Technique\r\nData collection\r\nOnce the malware verifies that it is not running under a controlled environment, it starts collecting data for\r\nexfiltration.\r\nIt begins with obtaining autofill information. The directory “%Localappdata%\\\\Google\\\\Chrome\\\\User Data ” is\r\nfirst obtained. After that it establishes connection with the SQLite database and collects data using the “SELECT *\r\nFROM autofill” query.\r\nFigure 6: Autofill stealer\r\nNext it collects history data from “%Localappdata%\\\\Google\\\\Chrome\\\\User data” path. After that it establishes\r\nconnection with the SQLite database and collects data using the “SELECT url FROM urls” query.\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 4 of 11\n\nFigure 7: History stealer\r\nAfter this, it verifies the machine’s remote IP address. Then, it uses a webhook to exfiltrate the data it has collected\r\nto the C2 server.\r\nFigure 8: Checks the Remote IP\r\nFigure 9: Webhook – exfiltration technique\r\nAfter communicating with C2 it tries to collect password data from any existing browser like Chrome, Brave or\r\nEdge browsers.\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 5 of 11\n\nFigure 10: Password stealer\r\nNext it targets crypto wallets by collecting some well-known crypto wallet software data.\r\nFigure 11: Crypto wallet names\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 6 of 11\n\nFigure 12: Collects wallet data\r\nAfter collecting wallet data, it tries to collect bookmark data from Chrome browser,\r\nFigure 13: Bookmark stealer\r\nAfterward, the malware extracts login credentials from the installation path by identifying the registry path\r\nassociated with Steam, a video game digital distribution service.\r\nIt also tries to steal SSH credentials from ‘.ssh’ directory and FTP credentials from the windows registry.\r\nFigure 14: SSH stealer\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 7 of 11\n\nFigure 15: FTP stealer\r\nAt last it runs a file stealer, which targets some specific extensions from some specific folders in the file system.\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 8 of 11\n\nFigure 16: File stealer and the extensions targeted\r\nThe file stealer program target following directories,\r\nDesktop\r\nDocuments\r\n Pictures\r\nVideos\r\nDownloads\r\nUAC Bypass\r\nBefore exiting, stealer calls one of the UAC bypass methods listed below\r\nGUI based Bypass\r\nBypass using Fodhelper\r\n Bypass using windows defender\r\nHere, in the sample analysed,  they are using Fodhelper method,\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 9 of 11\n\nFigure 17: UAC bypass\r\nFodhelper.exe is a known UAC bypass method, and when it runs, it looks for certain registry keys that do not exist.\r\nAs a result, a hacker can insert malicious commands into these registry keys to be executed by the fodhelper.exe with\r\nthe highest privilege(Admin privilege). \r\n1. “New-Item “HKCU:\\Software\\Classes\\ms-settings\\Shell\\Open\\command” -Force” – This command\r\ncreates a new registry key at the mentioned path in the registry.\r\n2. “New-ItemProperty -Path “HKCU:\\Software\\Classes\\ms-settings\\Shell\\Open\\command” -Name\r\n“Delegate Execute” -Value “” -Force” – This command adds a new registry entry named Delegate Execute\r\nwith an empty string value to the key.\r\n3. “New-ItemProperty -Path “HKCU:\\Software\\Classes\\ms-settings\\Shell\\Open\\command” -Name\r\n“(default)” -Value \\”{0}\\” -Force” – This command sets the default value of the registry key in the\r\nmentioned path to the value specified in the {0} placeholder.\r\nFigure 18: Program ending\r\nAs we can see, threat actors use advanced stealth techniques in info stealers to become more evasive. As the\r\ninformation stolen by the malware is sensitive, protecting yourself by investing in a reputable security product is\r\ntherefore necessary in today’s world. We at K7 Labs provide detection for such kinds of stealers and all the latest\r\nthreats. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date to\r\nsafeguard their devices.\r\nIOCs\r\nHash Detection name\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 10 of 11\n\ne97868c8431ccd922dea3dfb50f7e0b5 Password-Stealer  (005ac0721 )\r\na3c4785a011c350839669b8e73c823f5 Password-Stealer (005ac0721 )\r\nSource: https://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nhttps://labs.k7computing.com/index.php/uncovering-the-serpent/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/uncovering-the-serpent/"
	],
	"report_names": [
		"uncovering-the-serpent"
	],
	"threat_actors": [],
	"ts_created_at": 1775434316,
	"ts_updated_at": 1775791322,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/611b53ae15b70e3b007e9dbb51bb8e54cdf45411.pdf",
		"text": "https://archive.orkl.eu/611b53ae15b70e3b007e9dbb51bb8e54cdf45411.txt",
		"img": "https://archive.orkl.eu/611b53ae15b70e3b007e9dbb51bb8e54cdf45411.jpg"
	}
}