{ "id": "e72971f6-9ff0-47c0-8597-cd9e4212c477", "created_at": "2026-04-06T00:08:03.909468Z", "updated_at": "2026-04-10T13:11:52.549007Z", "deleted_at": null, "sha1_hash": "bad8a3616647f1d0aa12d30af03068a488eb8b90", "title": "Deep Analysis of Snake Keylogger", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1087847, "plain_text": "Deep Analysis of Snake Keylogger\r\nBy Mohamed Ashraf\r\nPublished: 2022-06-24 · Archived: 2026-04-05 17:57:52 UTC\r\nIntroductionPermalink\r\nSnake Keylogger is a malware developed using .NET. It’s focused on stealing sensitive information from a victim’s device,\r\nincluding saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data.\r\nThe malware usually is delivered by malicious doc and the malware comes packed , so let’s start unpacking.\r\nUnpackingPermalink\r\nStage1Permalink\r\nLet’s first check the resources , it’s always a good place to look .\r\nTheir are 2 suspicious resources Rara3 and ResourceFallbackMana , so the malware might use them for next stages of\r\nunpacking.\r\nChecking the entry point , there is a constructor called Home\r\nHome constructor has function that initialize its component called IntializeComponent\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 1 of 17\n\nscrolling to the end of it , a function call nnn is called which call sss which call SponsorState , this function retrieve a\r\nresource call Rara3 and loops through its bytes and decrypt it by calling DismatleCode , the decrypted resource is a DLL.\r\nThen the malware invokes MRMWrapperDictionary.memory..cctor() method from the loaded DLL.\r\nStage 2Permalink\r\nThe DLL name is MLan and it’s obfuscated , so i decided to go with the flow , until i found the function AnsiChar that\r\ndecrypt the next stage.\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 2 of 17\n\n1. Load a resource called ResourceFallbackMana Which is CurrentA value\r\n5265736F7572636546616C6C6261636B4D616E61 but in hex.\r\n2. Decrypt the resource .\r\n3. Invoke targeted method which is UeAupokA536JGhxDyO.sW3Asla2NyvByhVDAa.JSwk4uviT2()\r\nStage 3Permalink\r\nThe DLL IVectorView is heavily obfuscated even more than the previous stage and since it’s not our main payload i won’t\r\nbother renaming the functions.\r\nI will leave the functions names to make it easy for anyone who is going to try to unpack this sample.\r\nImportant Functions executed :\r\nGet path to the sample.\r\nahGXTXMe7uAdQ8NrjfG.lk5MbtJFe(uK4AJrYGvvq1w2WkdOi.lk5MbtJFe(uK4AJrYGvvq1w2WkdOi.W1QYvJs3HW),\r\nahGXTXMe7uAdQ8NrjfG.A3vYOBZp64)\r\nSleep for 4 seconds .\r\ntSUHMWMAIim5ETkhruf.lk5MbtJFe(tPjaFIYeEJC8ehJovOA.lk5MbtJFe(sW3Asla2NyvByhVDAa.w2n8tHiqWL[35],\r\ntPjaFIYeEJC8ehJovOA.gMSY7bPola) * 1000, tSUHMWMAIim5ETkhruf.guWM0HK2GW)\r\nGet Roaming folder path.\r\ndoGHn4M3qsgWjpC57JN.lk5MbtJFe(sW3Asla2NyvByhVDAa.OMepjHU8u0PQqAcfgBt(Environment.SpecialFolder.ApplicationData),\r\nMtylF5MN0ZB1XUnlinq.lk5MbtJFe(4212, MtylF5MN0ZB1XUnlinq.cqxM4wlCTi), doGHn4M3qsgWjpC57JN.t77MmT7Umi)\r\nAppend jwoHTfo.exe to the path .\r\npsokcXYESiVIocWutWY.lk5MbtJFe(text3, sW3Asla2NyvByhVDAa.Bis8Nfj2u5, MtylF5MN0ZB1XUnlinq.lk5MbtJFe(4218,\r\nMtylF5MN0ZB1XUnlinq.cqxM4wlCTi), psokcXYESiVIocWutWY.PnTYcVPfsh)\r\nCopy itself to C:\\Users\\UserName\\AppData\\Roaming .\r\nLp9PmLMkZmvU1wvfDHu.lk5MbtJFe(text, text2, Lp9PmLMkZmvU1wvfDHu.TMGYWc0mXg)\r\nExclude the path of the newly copied sample , write XML to tmp file , create scheduled task for persistence.\r\nLp9PmLMkZmvU1wvfDHu.lk5MbtJFe(sW3Asla2NyvByhVDAa.Bis8Nfj2u5, text2, Lp9PmLMkZmvU1wvfDHu.AjQYS6EhjD)\r\nLoad DLL at runtime that contains only resource data.\r\nUeAupokA536JGhxDyO.ohMtKo8nMu0hWQpbYo2.XYtPy3Anye()\r\nLoad a resource from the loaded DLL.\r\nUeAupokA536JGhxDyO.MH1pvtk8kqaCIqEAbCh.n0BjAw3y3a()\r\nDecrypt the resource to get our main payload.\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 3 of 17\n\nIHeoJKYkPinpHknFH9q.lk5MbtJFe(yAWG7ZYlZIPfRxSYSsw.lk5MbtJFe(sW3Asla2NyvByhVDAa.CTs8UfsbAO,\r\nyAWG7ZYlZIPfRxSYSsw.v2CYiSRjI0), sW3Asla2NyvByhVDAa.j3J8Ic57Tf, IHeoJKYkPinpHknFH9q.UC8Yj8UgDU)\r\nSpawn our main payload using process Hollowing .\r\nUeAupokA536JGhxDyO.sW3Asla2NyvByhVDAa.Fgxk5Jy1sG()\r\nExit .\r\nPersistencePermalink\r\nThe following command is executed that disables Windows Defender scheduled and real-time scanning for files in this\r\nfolder. C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Add-MpPreference -ExclusionPath\r\nC:\\Users\\UserName\\AppData\\Roaming\\jwoHTfo.exe\r\nThe following command is executed to create a scheduled task:\r\n\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\jwoHTfo\" /XML\r\n\"C:\\Users\\UserName\\AppData\\Local\\Temp\\tmp2BD2.tmp\"\r\nThe tmp file has the following XML :\r\n\u003c?xml version=\\\"1.0\\\" encoding=\\\"UTF-16\\\"?\u003e\r\n\u003cTask version=\\\"1.2\\\" xmlns=\\\"http://schemas.microsoft.com/windows/2004/02/mit/task\\\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n \u003cDate\u003e2014-10-25T14:27:44.8929027\u003c/Date\u003e\r\n \u003cAuthor\u003eUserName\u003c/Author\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\n \u003cLogonTrigger\u003e \u003c!-- Represents a trigger that starts a task when a user logs on --\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003cUserId\u003eUserName\u003c/UserId\u003e\r\n \u003c/LogonTrigger\u003e\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 4 of 17\n\n\u003cRegistrationTrigger\u003e \u003c!-- Represents a trigger that starts a task when the task is registered or updated --\u003e\r\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\r\n \u003c/RegistrationTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cPrincipals\u003e\r\n \u003c!--Specifies the security contexts that can be used to run the task.--\u003e\r\n \u003cPrincipal id=\\\"Author\\\"\u003e\r\n\u003c!-- Specifies the security credentials for a principal. These credentials define the security context that a task runs un\r\n \u003cUserId\u003eUserName\u003c/UserId\u003e\r\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n \u003c!-- User must already be logged on. The task will be run only in an existing interactive session.--\u003e\r\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\r\n \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n \u003cMultipleInstancesPolicy\u003eStopExisting\u003c/MultipleInstancesPolicy\u003e\r\n \u003c!-- Starts a new instance while an existing instance is running. --\u003e\r\n \u003cDisallowStartIfOnBatteries\u003efalse\u003c/DisallowStartIfOnBatteries\u003e\r\n \u003c!--Specifies that the task will not be started if the computer is running on battery power.--\u003e\r\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\r\n \u003c!--Specifies that the task will be stopped if the computer switches to battery power.--\u003e\r\n \u003cAllowHardTerminate\u003efalse\u003c/AllowHardTerminate\u003e\r\n \u003c!--Specifies if the Task Scheduler service allows hard termination of the task.--\u003e\r\n \u003cStartWhenAvailable\u003etrue\u003c/StartWhenAvailable\u003e\r\n \u003c!--Specifies that the Task Scheduler can start the task at any time after its scheduled time has passed.--\u003e\r\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n \u003c!--Specifies that the Task Scheduler will run the task only when a network is available.--\u003e\r\n \u003cIdleSettings\u003e\r\n \u003c!--Specifies how the Task Scheduler performs tasks when the computer is in an idle state.--\u003e\r\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n \u003c/IdleSettings\u003e\r\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n \u003c!--Specifies that the task can be started by using either the Run command or the Context menu.--\u003e\r\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n \u003c!--Specifies that the task is enabled. The task can be performed only when this setting is True. --\u003e\r\n \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n \u003c!--Specifies, by default, that the task will not be visible in the user interface (UI).--\u003e\r\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n \u003c!--Specifies that the task is run only when the computer is in an idle state.--\u003e\r\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n \u003c!--Specifies that Task Scheduler will wake the computer before it runs the task.--\u003e\r\n \u003cExecutionTimeLimit\u003ePT0S\u003c/ExecutionTimeLimit\u003e\r\n \u003c!-- 20 Days --\u003e \u003c!--Specifies the amount of time allowed to complete the task.--\u003e\r\n \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c!-- BELOW_NORMAL_PRIORITY_CLASS THREAD_PRIORITY_BELOW_NORMAL--\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\\\"Author\\\"\u003e\u003c!-- Execute the packed sample --\u003e\r\n \u003cExec\u003e\r\n \u003cCommand\u003e\r\n C:\\\\Users\\\\UserName\\\\AppData\\\\Roaming\\\\jwoHTfo.exe\r\n \u003c/Command\u003e\r\n \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\nLoad DLL at runtimePermalink\r\nFor the last stage of unpacking the malware uses a local callback function XYtPy3Anye that is registered to\r\nAppDomain.CurrentDomain.ResourceResolve, which is then called when it fails to load a resource by name.\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 5 of 17\n\nThe malware reads a resource named 6XrMbvA from the current module, which has no such named resource in the resource\r\ndirectory. A resource loading failure occurs and the registered local function is called XYtPy3Anye to solve this error.\r\nAnother DLL file appears in memory , decrypted from resource wgESy1fvJpAjtLonUv.mtQ6crCqKVauvIWPi5 and then\r\ndecompress. It contains a resource with the name 6XrMbvA , which is the original requested resource name.\r\nThe payload of Snake Keylogger is encrypted in 6XrMbvA resource .\r\nThe resource is decrypted in UeAupokA536JGhxDyO.MH1pvtk8kqaCIqEAbCh.O9RjtGPl7D() method.\r\nIHeoJKYkPinpHknFH9q.lk5MbtJFe(yAWG7ZYlZIPfRxSYSsw.lk5MbtJFe(sW3Asla2NyvByhVDAa.CTs8UfsbAO,\r\nyAWG7ZYlZIPfRxSYSsw.v2CYiSRjI0), sW3Asla2NyvByhVDAa.j3J8Ic57Tf, IHeoJKYkPinpHknFH9q.UC8Yj8UgDU) all that happens\r\nunder this method .\r\nProcess HollowingPermalink\r\nThe program then creates a suspended child process and inject Snake Keylogger payload into the child process. It then\r\nresumes the child process to run. Then the parent process exits\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 6 of 17\n\nAll process hollowing functionality are under UeAupokA536JGhxDyO.sW3Asla2NyvByhVDAa.Fgxk5Jy1sG() method.\r\nCreate new process\r\nsW3Asla2NyvByhVDAa.t9k84Eca13(\\u0020, string.Empty, IntPtr.Zero, IntPtr.Zero, false, 134217732U,\r\nIntPtr.Zero, null, ref q7wjRryksphgmH13gM, ref whaCmriILF5883Bt0r))\r\nit calls API CreateProcess() to create the child process with Creation Flag 134217732U (0x8000004), which means\r\nCREATE_NO_WINDOW and CREATE_SUSPENDED.\r\nWrite process memory\r\nBBDYpjYA3gIOGArn7ck.lk5MbtJFe()\r\nSetThreadContext\r\nsW3Asla2NyvByhVDAa.j898gCWDUT(whaCmriILF5883Bt0r.Rs9GptxmvX, array2)\r\nResume thread\r\nsW3Asla2NyvByhVDAa.RHI4KHUA4X2R7NW2kBr(sW3Asla2NyvByhVDAa.UTP8ZguGC0, whaCmriILF5883Bt0r.Rs9GptxmvX)\r\nMalware FunctionalityPermalink\r\nSnake Keylogger is obfuscated . let’s Use de4dot to make it more readable.\r\nAfter reversing and renaming .\r\nThe malware start initializing variables some of them are not used , the interesting part that the malware set a timer for some\r\nfunctions to execute every 0.1 second.\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 7 of 17\n\nThese are the functions that executes periodically:\r\n1. Sending keylogs .\r\n2. Sending screenshot .\r\n3. Sending clipboard .\r\n4. Sending stolen data encrypted .\r\n5. Sending stolen data as plaintext .\r\nKeyLoggingPermalink\r\nIt calls API SetWindowsHookExA() to register a hook callback function this.ProcessKey() to monitor low-level\r\nkeyboard input events. The first parameter is the hook type, where 13 indicates WH_KEYBOARD_LL .\r\nIt also records the foreground window title to identify where the victim types by calling the APIs GetForegroundWindow()\r\nand GetWindowText() .\r\nThe malware installs its own handler for keypress events on the keyboard. Logging is done as follows:\r\n   \r\nBackspace, Delete, End, F1-\r\nF11\r\nNot recorded\r\nF12 [F12]\r\nTAB [tap]\r\nENTER [Entr]\r\nSPACE \" \"\r\nOther key\r\nUppercase or lowercase character depending on the position of the Shift and Caps\r\nLock keys\r\nScreenshotPermalink\r\nWhen a screenshot is taken, it is saved to My Documents\\SnakeKeylogger folder with the name Screenshot.png. Then try to\r\nsend the file. Any result of the upload will delete the file.\r\nIt has a Timer which captures the victim’s screenshots from time to time by calling API CopyFromScreen() .\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 8 of 17\n\nSystem ClipboardPermalink\r\nIt has two Timers. One timer to collect system clipboard data by calling Clipboard.GetText() and save to a global\r\nvariable. The other timer is used to send clipboards data to the attacker.\r\nSteal CredentialsPermalink\r\nBefore stealing credentials , there are alot of methods that have empty body , it’ disabled features in this sample , i tried to\r\nget a sample that have those functions enabled but had no luck .\r\nThese functions are anti-VM and persistence method , anti-emulation, Snake adds itself to autorun by changing the registry\r\nkey: HKCU\\software\\microsoft\\windows\\currentversion\\run , Snake kill certain processes and check for the presence of\r\nsome of the virtual machines files , search for processes specific to virtual machines . it although removes cookies from\r\nChrome and Firefox browsers, as well as data from the general cookie repository in the system ,so that the user has to re-login to accounts in this case, the data will be intercepted using a keylogger .\r\nHow did i know that ? , while searching for samples to test my config extractor , i found a sample that have those functions\r\nnamed but still empty body, lucky me .\r\nI dont know why all that was disabled ! It would be nice to see those.\r\nBack to what we have in our sample .\r\nSnake kill chrome and firefox process if it’s running.\r\nSnake steals credentials from FTP clients, Email clients, Messengers , Browsers by static paths. It has four different methods\r\nto steal data from different types of browses, like Gecko-based browsers, Opera, Internet Explorer and Chromium-based\r\nbrowsers.\r\nApplication Folder/Registery\r\nOutlook\r\nSoftware\\\\Microsoft\\\\Office\\\\15.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676,\r\nSoftware\\\\Microsoft\\\\WindowsNT\\\\CurrentVersion\\\\WindowsMessagingSubsystem\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88\r\n‘Software\\\\Microsoft\\\\WindowsMessagingSubsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676,\r\nSoftware\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676\r\nFoxMail SOFTWARE\\Classes\\Foxmail.url.mailto\\Shell\\open\\command\r\nTencent \\AppData\\Local\\Tencent\\QQBrowser\\UserData\\Default\\LoginData\r\nThunderbird \\AppData\\Roaming\\Thunderbird\\Profiles|\r\nPostbox \\AppData\\RoamingPostboxApp\\Profiles\r\ndiscord \\AppData\\Local \\discord\\LocalStorage\\leveldb\\\r\nPidgin \\AppData\\Roaming\\.purple\\accounts.xml\r\nFileZilla \\AppData\\Roaming\\FileZilla\\recentservers.xml\r\nKinza \\AppData\\Local\\AppData\\Local \\Kinza\\UserData\\Default\\LoginData\r\nFalkon \\AppData\\Local \\Sputnik\\Sputnik\\UserData\\Default\\LoginData\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 9 of 17\n\nApplication Folder/Registery\r\nSputnik \\AppData\\Local\\Sputnik\\Sputnik\\UserData\\Default\\LoginData\r\nSalamWeb \\AppData\\Local\\SalamWeb\\UserData\\Default\\LoginData\r\nCoolNovo \\AppData\\Local\\MapleStudio\\ChromePlus\\UserData\\Default\\LoginData\r\nQIPSurf \\AppData\\Local \\QIPSurf\\UserData\\Default\\LoginData\r\nBlackHawk \\AppData\\Local \\BlackHawk\\UserData\\Default\\LoginData\r\n7Star \\AppData\\Local\\7Star\\7Star\\UserData\\Default\\LoginData\r\nFenrirInc \\AppData\\Local \\Sleipnir\\Sleipnir5\\setting\\modules\\ChromiumViewer\\Default\\LoginData\r\nCitrio \\AppData\\Local\\CatalinaGroup\\Citrio\\UserData\\Default\\LoginData\r\nChrome Canary \\AppData\\Local \\Google\\ChromeSxS\\UserData\\Default\\LoginData\r\nGoogle Chrome \\AppData\\Local \\Google\\Chrome\\UserData\\Default\\LoginData\r\nCoowon \\AppData\\Local\\Coowon\\Coowon\\UserData\\Default\\LoginData\r\nCocCoc \\AppData\\Local \\CocCoc\\Browser\\UserData\\Default\\LoginData\r\nUran \\AppData\\Local\\uCozMedia\\Uran\\UserData\\Default\\LoginData\r\nOrbitum \\AppData\\Local \\Orbitum\\UserData\\Default\\LoginData\r\nSlimjet \\AppData\\Local \\Slimjet\\UserData\\Default\\LoginData\r\nIridium \\AppData\\Local \\Iridium\\UserData\\Default\\LoginData\r\nVivaldi \\AppData\\Local \\Vivaldi\\UserData\\Default\\LoginData\r\nIron \\AppData\\Local \\Chromium\\UserData\\Default\\LoginData\r\nOther Chromium\r\nbased browsers\r\n\\AppData\\Local \\Chromium\\UserData\\Default\\LoginData\r\nGhost \\AppData\\Local \\GhostBrowser\\UserData\\Default\\LoginData\r\nCent \\AppData\\Local\\CentBrowser\\UserData\\Default\\LoginData\r\nXvast \\AppData\\Local \\Xvast\\UserData\\Default\\LoginData\r\nChedot \\AppData\\Local \\Chedot\\UserData\\Default\\LoginData\r\nSuperBird \\AppData\\Local \\SuperBird\\UserData\\Default\\LoginData\r\n360Browser \\AppData\\Local \\360Browser\\Browser\\UserData\\Default\\LoginData\r\n360Secure \\AppData\\Local \\360Chrome\\Chrome\\UserData\\Default\\LoginData\r\nComodo \\AppData\\Local \\Comodo\\Dragon\\UserData\\Default\\LoginData\r\nBraveSoftware \\AppData\\Local\\BraveSoftware\\Brave-Browser\\UserData\\Default\\LoginData\r\nTorch \\AppData\\Local \\Torch\\UserData\\Default\\LoginData\r\nUCBrowser \\AppData\\Local\\UCBrowser\\UserData_i18n\\Default\\UCLoginData.18\r\nBlisk \\AppData\\Local \\Blisk\\UserData\\Default\\LoginData\r\nEpicPrivacyBrowser \\AppData\\Local\\EpicPrivacyBrowser\\UserData\\Default\\LoginData\r\nYandex \\AppData\\Local\\Yandex\\YandexBrowser\\UserData\\Default\\YaLoginData\r\nNichrome \\AppData\\Local \\Nichrome\\UserData\\Default\\LoginData\r\nAmigo \\AppData\\Local\\Amigo\\UserData\\Default\\LoginData\r\nKometa \\AppData\\Local \\Kometa\\UserData\\Default\\LoginData\r\nXpom \\AppData\\Local \\Xpom\\UserData\\Default\\LoginData\r\nElements \\AppData\\Local \\ElementsBrowser\\UserData\\Default\\LoginData\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 10 of 17\n\nApplication Folder/Registery\r\nMicrosoft edge \\AppData\\Local\\Microsoft\\Edge\\UserData\\Default\\LoginData\r\nelbatSarepO ataDnigoL\\elbatSarepO\\erawtfoSarepO\\\r\nelbatSarepO ataDnigoL\\elbatSarepO\\erawtfoSarepO\\\r\neliforp tad.dnaw\\eliforp\\arepO\\arepO\\\r\neliforp tad.dnaw\\eliforp\\arepO\\arepO\\\r\nLiebao7 \\AppData\\Local \\Liebao7\\UserData\\Default\\EncryptedStorage\r\nAVASTSoftware \\AppData\\Local\\AVASTSoftware\\Browser\\UserData\\Default\\LoginData\r\nMicrosoft \\AppData\\LocalSoftware\\Microsoft\\WindowsNT\\CurrentVersion\r\nicecat \\AppData\\Roaming\\Mozilla\\icecat\\Profiles\r\nSlim \\AppData\\Roaming\\FlashPeak\\SlimBrowser\\Profiles\r\nFirefox \\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\r\nSeaMonkey \\AppData\\Roaming\\Mozilla\\SeaMonkey\\Profiles\r\nIceDragon \\AppData\\Roaming\\Comodo\\IceDragon\\Profiles\r\nCyberfox \\AppData\\Roaming\\8pecxstudios\\Cyberfox\\Profiles\r\nPale Moon \\AppData\\Roaming\\Moonchild Productions\\Pale Moon\\Profiles\r\nWaterfox \\AppData\\Roaming\\Waterfox\\Profiles\r\nOpera \\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data\r\nOpera \\AppData\\Roaming\\Opera\\Opera\\profile\\wand.dat\r\nStealing MechanismPermalink\r\n1. Access the file that contains Credentials\r\n2. Parse the Credentials using SQL , have a whole class to handle SQL.\r\n3. Decrypt Passwords.\r\n4. Append to the global variable.\r\nMore details about stealing mechanism in my report about Mars stealer , it’s pretty much the same.\r\nSnake tries to load moazglue.dll and nss3.dll by checking if certain browsers is installed and try to load the DLLs from one\r\nof these paths.\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 11 of 17\n\nC2 CommunicationPermalink\r\nIf isProtected is initialized with ProtectTrue then all data will be encrypted before sending it.\r\nDepending on the selected option in the configuration file, there are three options for interacting with the C2:\r\nFTPPermalink\r\nWhen transferring via FTP protocol, a file with the name: ComputerName - Passwords ID - BotID FilExtension is created\r\non the FTP host.\r\nThe content of the file is PW UserName Snake VictimInfo Passwords_Logs .\r\nThe Bot ID is formed as follows: the first part is set in the configuration file, and the second part is a randomly generated 4-\r\nbyte number.\r\nSMTPPermalink\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 12 of 17\n\nA message of the following format will be generated:\r\nSubject: Pc Name: Username Snake Keylogger\r\nEmail body: PW Username Snake\r\nAttachment:\r\nPasswords.txt contains PW UserName Snake VictimInfo Passwords_Logs in unicode\r\nUser.txt same as Passwords.txt but in ascii\r\nVictimInfo contains PC name , date and time , client IP , country name\r\nAll data is sent as an attachment. It might be encrypted with DES or be plaintext .\r\nTelegramPermalink\r\nThe data is transferred as an attached file. Log file attachments have the following format:\r\nPW UserName Snake VictimInfo Passwords_Logs\r\nSame mechanism for sending:\r\n1. Keylogs:\r\nContent format : KP UserName Snake VictimInfo KeyStrokes\r\nFor FTP protocol :\r\nA file with the name ComputerName - keystroke Logs ID - BotID FilExtension is created on the FTP host.\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 13 of 17\n\n2. clipboard :\r\nContent format : Clipboard UserName Snake VictimInfo GrabbedClipboard\r\nFor FTP protocol :\r\nA file with the name ComputerName - Clipboard Logs ID - BotID FilExtension is created on the FTP host.\r\n3. Screenshot:\r\nContent format : Screenshot UserName Snake VictimInfo ImageBytes\r\nFor FTP protocol :\r\nA file with the name ComputerName - Screenshot Logs ID - BotID .png is created on the FTP host.\r\nimport sys, struct, clr\r\nimport os\r\nimport validators\r\nsys.path.append(os.path.dirname(__file__))\r\nclr.AddReference(\"System.Memory\")\r\nfrom System.Reflection import Assembly, MethodInfo, BindingFlags\r\nfrom System import Type\r\nDNLIB_PATH = r\"\"\r\nclr.AddReference(\"dnlib\")\r\nimport dnlib\r\nfrom dnlib.DotNet import *\r\nfrom dnlib.DotNet.Emit import OpCodes\r\nSAMPLE_PATH = r''\r\nmodule = dnlib.DotNet.ModuleDefMD.Load(SAMPLE_PATH)\r\neFlags = BindingFlags.Static | BindingFlags.Public | BindingFlags.NonPublic\r\nHardcoded_String = []\r\ndef get_Hardcoded_String():\r\n for mtype in module.GetTypes():\r\n if not mtype.HasMethods:\r\n continue\r\n for method in mtype.Methods:\r\n if not method.HasBody:\r\n continue\r\n if not method.Body.HasInstructions:\r\n continue\r\n \r\n for ptr in range(len(method.Body.Instructions)):\r\n try:\r\n if method.Body.Instructions[ptr].OpCode == OpCodes.Ldstr :\r\n Hardcoded_String.append(method.Body.Instructions[ptr].ToString()[14:].replace('\"',\"\").replace(\" \",\r\n except :\r\n continue\r\n \r\n \r\nget_Hardcoded_String()\r\nif \"CountryName:\" in Hardcoded_String:\r\n config_offset = Hardcoded_String.index(\"CountryName:\")\r\n \r\n for i in range(5):\r\n SMTP_Host = \"\"\r\n SMTP_Port = \"\"\r\n SMTP_Email = \"\"\r\n Tel_BOT = \"\"\r\n FTP_Host = \"\"\r\n if len(Hardcoded_String[config_offset + i + 9]) \u003e 22 and Hardcoded_String[config_offset + i + 10].isdigit():\r\n Tel_chaTID = Hardcoded_String[config_offset+ i + 10]\r\n Tel_BOT = Hardcoded_String[config_offset + i + 9]\r\n \r\n if ( validators.ipv4(Hardcoded_String[config_offset + i + 3]) or validators.domain(Hardcoded_String[config_offset\r\n SMTP_Host = Hardcoded_String[config_offset + i + 3]\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 14 of 17\n\nSMTP_Port = Hardcoded_String[config_offset + i + 5]\r\n SMTP_Username = Hardcoded_String[config_offset + i + 1]\r\n SMTP_Password = Hardcoded_String[config_offset + i + 2]\r\n SMTP_Email = Hardcoded_String[config_offset + i + 4]\r\n \r\n \r\n if \"ftp\" in Hardcoded_String[config_offset + i + 8] :\r\n FTP_Host = Hardcoded_String[config_offset + i + 8]\r\n FTP_Username = Hardcoded_String[config_offset + i + 6]\r\n FTP_Password = Hardcoded_String[config_offset + i + 7]\r\n \r\n if SMTP_Host != \"\" and SMTP_Port != \"\" and SMTP_Email!= \"\":\r\n print(\"SMTP Host = \",SMTP_Host)\r\n print(\"SMTP Port = \",SMTP_Port)\r\n print(\"SMTP Username = \", SMTP_Username)\r\n print(\"SMTP Password = \",SMTP_Password)\r\n print(\"SMTP Email To = \",SMTP_Email)\r\n \r\n if Tel_BOT != \"\":\r\n Tel_C2 = \"https://api.telegram.org/bot\" +Tel_BOT+\"/sendMessage?chat_id=\"+Tel_chaTID\r\n print(\"Telegram C2 = \",Tel_C2.strip())\r\n if FTP_Host != \"\":\r\n print(\"FTP Host = \",FTP_Host)\r\n print(\"FTP Port = \",21)\r\n print(\"FTP Username = \",FTP_Username)\r\n print(\"FTP Password = \",FTP_Password)\r\nIOCsPermalink\r\nHashes :\r\n1. 2022_Exportlist.pdf.exe aka TRACEPROVIDERINSTANCEI.exe aka jwoHTfo.exe\r\nMD5 : 96fe87fda1c50480609164fdfa7c56e1\r\nSHA-1 : 548e2ae1da37cf3c58b1dc24b9020be915892412\r\nSHA-256 : 605929594981dafbab968728e7a47ca70c6175e2b0c2394b1f6793145b338175\r\nImphash : f34d5f2d4577ed6d9ceec516c1f5a744\r\nSSDEEP :\r\n12288:xo9C8+jXbW9qT9q0VOf/1hCCy51Y325l4+2HyIQfEzT2Ovn8UT/e6R+Ha3VG/VRC:xolCXKOnk9/O1Yel4HH1U+qrce6R+6l7\r\n2. MLang.dll aka lolno.dll\r\nMD5 : ab47b292d4d39311539a0b97e6661f4f\r\nSHA-1 : 54cd9efbebe4f41b23e6f24fffac0da8f72d921b\r\nSHA-256 : fe78017f2153de0c5ca645c4255899ab044502fe5c77d5c04ced635d9fe981d9\r\nImphash : dae02f32a21e03ce65412f6e56942daa\r\nSSDEEP : 768:JacFZ4/H/ve5rv+jfs1j/3Lo1wndAYObbtDgbg6A0V5Xr1Kt9b:BCDI3LosObbtko8bAt9b\r\n3. IVectorView.dll\r\nMD5 : 1f0d10c221bfe2cf55c71a36f960a94f\r\nSHA-1 : ccbce039ccd22c9adf2a3761dcd5dc2e1cfd9579\r\nSHA-256 : c555c0c042e85369b0aec6961a04cb5f33689f9a2d84bbb436793d8eabf9a641\r\nImphash : dae02f32a21e03ce65412f6e56942daa\r\nSSDEEP : 12288:u4PeegK8DnyyBlfnCwWVazsNNw9vn0SNRiMcdxNF:59UlvJQosgfZbcdxNF\r\n4. 96e46e73-3d6c-4438-a642-6355f4e5a32b.dll\r\nMD5 : 9685ca6802fcec12497c9de13e0828f7\r\nSHA-1 : 07ff707126fe5ef9d81d930d1184c8acbca84447\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 15 of 17\n\nSHA-256 : 900664051b305fa30b48392b7c3956c172d3b1b4248b0b1ba30a850010d4aeed\r\nImphash : dae02f32a21e03ce65412f6e56942daa\r\nSSDEEP : 3072:BCfNUMO2WfOHSV897gRPLh5dHwRD+Y4eHxz8KHoCaN/ELEv5:6UqMuSVmi5mx3xz8pn/\r\n5. YFGGCVyufgtwfyuTGFWTVFAUYVF.exe\r\nMD5 : a90c091abded4a4f763de7537f569167\r\nSHA-1 : 9394b05c2d518ee5d75fb030f2dca6d15c44bf0a\r\nSHA-256 : 653b29296dcc50bfb59898d3ba38748b1c484701079ccc85f45bd2c0e4ecbe3e\r\nImphash: f34d5f2d4577ed6d9ceec516c1f5a744\r\nSSDEEP : 3072:gFlAi/smc7Rkw3HTCnnnnnnnnnnnnnnnnnn9b8GOswBn7FbY8:crkIb4hbN\r\nFiles:\r\n1. C:\\Users\\UserName\\AppData\\Roaming\\jwoHTfo.exe\r\n2. C:\\Users\\UserName\\AppData\\Local\\Temp\\tmp(4bytes).tmp\r\nC2 Domain :\r\nhttps://api[.]telegram[.]org/bot5392870078:AAEZf0ajeo_PMkBddeC_JE--NP4u4367N6c/sendMessage?\r\nchat_id=1856108848\r\nYARA RulePermalink\r\nrule SnakeKeylogger :SnakeKeylogger {\r\n meta:\r\n author = \"X__Junior\"\r\n description = \"Detects Snake Keylogger\"\r\n strings:\r\n \r\n $s1 = \"_KPPlogS\" fullword ascii\r\n $s2 = \"_Scrlogtimerrr\" fullword ascii\r\n $s3 = \"_Clpreptimerr\" fullword ascii\r\n $s4 = \"_clprEPs\" fullword ascii\r\n $s5 = \"_kLLTIm\" fullword ascii\r\n $s6 = \"_TPSSends\" fullword ascii\r\n $s7 = \"_ProHfutimer\" fullword ascii\r\n $s8 = \"GrabbedClp\" fullword ascii\r\n $s9 = \"StartKeylogger\" fullword ascii\r\n$s10 = \"KPPlogS\" fullword ascii\r\n $s11 = \"Scrlogtimerrr\" fullword ascii\r\n $s12 = \"Clpreptimerr\" fullword ascii\r\n $s13 = \"clprEPs\" fullword ascii\r\n $s14 = \"kLLTIm\" fullword ascii\r\n $s15 = \"TPSSends\" fullword ascii\r\n$s16 = \"ProHfutimer\" fullword ascii\r\n $x1 = \"$%SMTPDV$\" wide\r\n $x2 = \"$#TheHashHere%\u0026\" wide\r\n $x3 = \"%FTPDV$\" wide\r\n $x4 = \"$%TelegramDv$\" wide\r\n $m1 = \"| Snake Keylogger\" ascii wide\r\n $m2 = \"SnakePW\" ascii wide\r\n $m3 = \"\\\\SnakeKeylogger\\\\\" ascii wide\r\n$m4 = \"Snake\" ascii wide\r\n condition:\r\n (uint16(0) == 0x5a4d and (6 of ($s*) or 4 of ($x*) or 3 of ($m*)))\r\n}\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 16 of 17\n\nSource: https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nhttps://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html\r\nPage 17 of 17\n\n$m4 = \"Snake\" condition: ascii wide \n(uint16(0) == 0x5a4d and (6 of ($s*) or 4 of ($x*) or 3 of ($m*)))\n} \n Page 16 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html" ], "report_names": [ "Snakekeylogger.html" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434083, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bad8a3616647f1d0aa12d30af03068a488eb8b90.pdf", "text": "https://archive.orkl.eu/bad8a3616647f1d0aa12d30af03068a488eb8b90.txt", "img": "https://archive.orkl.eu/bad8a3616647f1d0aa12d30af03068a488eb8b90.jpg" } }