BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Snake

53
Global rank
79 infographic chevron month
Month rank
68 infographic chevron week
Week rank
1018
IOCs

Snake is a modular keylogger written in .NET. Adversaries use this malware to exfiltrate confidential data, such as keystrokes, screen captures, and login credentials.

Keylogger
Type
Ex-USSR
Origin
15 August, 2019
First seen
29 March, 2022
Last seen
Also known as
404 Keylogger
404KeyLogger
Snake Keylogger

How to analyze Snake with ANY.RUN

Type
Ex-USSR
Origin
15 August, 2019
First seen
29 March, 2022
Last seen

IOCs

IP addresses
31.210.74.53
Hashes
02df25353817c3976948a178c7e195aff4354708f764350278cd7e2b5e4cbaab
05cb0a2e0774cd18a209428eff632358f8d55da31b45825c3fd99fa117313e2c
6f3f6d7fb9c7aafcac095786e6a2d41301ebb2f2dbbb3d62650331b8407eb5a4
8b5d7a796b73fdf3898ef5899cdb03f92270b9fad8c520cca19d957bce8e59a4
0e1c990e2998627ce97787e8d8d1416ab8919504b00f46e570735500af2a18fa
596807f2fdd2c55472a55345bcd4a3ed633c2fdd584355eaf3dbcd58b1144f94
05eee1bc9c1e16edcc98e0db0f289834bf181636acf0a5cf79d4725a19b26e89
79aed49f0c68c31e73f828fe6796a1fbaff39a50e79e14c4d8436d57ecac944b
c7fbb44d4bab0581d67b17f37224cc5727db48b14012af00e2fc686ba91046b0
f19382f73afea13e667e2e39aa0017ee8d3976038fd549c2f2d6b4be4d241cc7
0fe6cda85c2f35d36baee4210b12c8b062361f092d010f457ac4434e7c5e594a
6ac80e0f25ef05e6940e4ed92719b53c78f816ea7ee0a6466719362e34c66eee
659d786131454bee09b1cf35abfbec971dd4d3bed16b34805332be4ddd33202b
2a5530ab57193bdd66809775e99678ec6be6053af364e731aeae2fb9baabbf32
77dab247203f103e2c7e5139d3d67cc41c2d375bdfb56b9fa902c53a4079a489
a6f00b73a005bf4649b09871312a4db3719e23f277b61f1e62139055e974adfa
c8f85a669a9351e1365c5bf890f796eb692be654dfd25ec2ebf2009bb7058c05
f6acf4d217145bc4c53e7e9b17046134b2afc502ba7ef0b7cd96d165b1602c3e
d4447315ca06e33ed59b76db2aa5710198414dc50c28208ed309cbb365922c23
77a709b9c25370a8706e88779bae17ee74e76fc2c61aacc9ad1d45db05e1da2c
Domains
cp5ua.hyperhost.ua
mail.stilltech.ro
mail.yezinsaat.com.tr
mail.valleycountysar.org
mail.skyshine.com.my
mail.nclanka.lk
mail.alfalahchemicals.com
smtp.privateemail.com
mail.prinutrition.com
posta.ni.net.tr
smtp.azebal.com
mail.sienkakupeste.com
mail.anatolia-mountains.com
mail.eversafe.pt
mail.rockglen.com
mail.alroman.com
mail.karacainsaat.com.tr
mail.algodontekstil.com
mail.black-pepper.nl
cmail2.webkontrol.doruk.net.tr
Last Seen at

Recent blog posts

post image
DCRat: Step-by-Step Analysis in ANY.RUN
watchers 881
comments 0
post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 335
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 316
comments 0

What is Snake malware

Snake is a modular infostealer and keylogger that was initially discovered in November 2020. Developed using the .Net programming language, it exhibits similarities with the AgentTesla, Formbook, and Matiex malware families, particularly in its staging mechanism.

Snake poses a significant risk to privacy due to its ability to exfiltrate a broad range of data. Its capabilities include:

  • Keyboard capturing
  • Clipboard hijacking
  • Credential theft
  • Screen recording

Snake is capable of stealing credentials from over 50 applications, including popular web browsers and file transfer clients, such as FileZilla. Notably, this malware is also able to steal wireless network profiles.

This keylogger is also notable due to its ability to exfiltrate that data through multiple protocols: FTP, SMTP, and Telegram.

Additionally, Snake collects system information including the hardware configuration, name, and operating system version of the infected machine.

Utilizing the system's IP address and date-time information, it identifies the geolocation of the machine it operates on. Some Snake samples, though not all, use this data to activate a kill switch. Such behavior is common for malware originating from the ex-USSR region, typically avoiding targets within nearby countries.

The threat of Snake infection is not confined to specific industries or geographical areas. According to some reports, it has the potential to infect all major platforms, including Windows, Linux, and more recently, MacOS. In addition, Snake is a highly popular malware — it often competes with AgentTesla for the top spot of various charts.

Snake is readily available as a Malware-as-a-Service on underground forums, with pricing options that range from 25 to 500 USD.

This infostealer comes equipped with anti-evasion capabilities. In some samples, its downloader component was found to sleep for a period of time to evade automatic sandboxes. It can also terminate processes related to AV and network analysis tools, such as Avast and Wireshark.

Upon completing the initial process, Snake secures its persistence by duplicating itself into the AppData folder under a random name, generating a scheduled task configuration within a temporary directory, and initiating a scheduled task. What’s more, it possesses the ability to self-delete from the system post data exfiltration, employing a deletion command with a 3-second timer.

Snake keylogger execution process

As a typical stealer, Snake keylogger doesn't produce a lot of noticeable activity, which makes its detection potentially tricky. However, once it's established on an infected machine, it may increase its activity — capturing more data and sending it to the command-and-control server.

In the majority of Snake versions, a single process is responsible for all malicious activities, which include stealing data from the compromised system. In the specific sample of Snake we've analyzed, this process was identified as arinzehfkd685371.exe.

snake keylogger main process

arinzehfkd685371.exe process details

The Snake malware uses a variety of tactics and techniques, as illustrated in the Mitre ATT&CK Matrix. Key strategies include:

  • exploiting client vulnerabilities for initial access
  • extracting credentials from files and password stores
  • querying the system registry
  • and collecting local emails.

It also uses tool transfers and mail protocols for command, control, and exfiltration purposes. Notably, a significant proportion of events (270) involved stealing credentials from files.

snake keylogger ATT&CK Matrix

The Mitre ATT&CK Matrix for Snake malware

During the analysis, ANY.RUN cloud interactive sandbox was able to retrieve Snake’s config automatically. The displayed configuration reveals the DES encryption key and the SMTP credentials used for data exfiltration.

snake keylogger configuration

Snake keylogger malware configuration

Network monitoring tools can use this SMTP information for detection, potentially flagging or blocking traffic associated with the host or email addresses.

Read a detailed analysis of Snake Keylogger in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of Snake malware

As is common with Malware-as-a-Service families, Snake is distributed through mass email phishing campaigns and targeted spearphishing. It is known to arrive via infected Microsoft Office documents or PDFs, typically embedded in payment-related messages.

Upon the user extracting the executable, it proceeds to decode and decrypt the base-64 payload, which is contained within a string variable.

Users are recommended to remain vigilant when downloading payment receipts or any documents from unfamiliar senders. Key signs of phishing attempts to look out for include poor grammar, manipulative messaging, and an unusually high number of typos for a professional email.

Snake malware conclusions

In closing, Snake is a powerful infostealer and keylogger that targets various industries and platforms, capable of extracting a wide range of data. Its sandbox evasion capabilities only add to the challenge of detection and analysis.

Try analyzing Snake in ANY.RUN. Create a free account using your business email to try out our interactive cloud malware sandbox.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy