Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Snake

104
Global rank
153 infographic chevron month
Month rank
139 infographic chevron week
Week rank
0
IOCs

Snake is a modular keylogger written in .NET. Adversaries use this malware to exfiltrate confidential data, such as keystrokes, screen captures, and login credentials.

Keylogger
Type
Ex-USSR
Origin
15 August, 2019
First seen
29 March, 2022
Last seen
Also known as
404 Keylogger
404KeyLogger
Snake Keylogger

How to analyze Snake with ANY.RUN

Type
Ex-USSR
Origin
15 August, 2019
First seen
29 March, 2022
Last seen

IOCs

IP addresses
31.210.74.53
Hashes
19732686b3ae1be2a385275bacbdfb77430ba8cfacdcd439acbc06884cd2c6c6
8d565d2d25880b530f68414941c8d568292352d1384684b529def4233d03b9de
7ce06c4227d8b111e23ea4af903379bef4211205ff6a6a582aa7c74149ec8b47
f97f7913db65e06cda7849ebdb4d3f413eb435e3b7063ba1abd08e17f652ba98
3b50796d11c0837412a2d9205f28604ef9c02ea436e33f9cb46ac3b99e1bbc37
49e595816d745be34ae53202b5839e72a30d7245321003fe7a37e1d99508695e
ab833fd3f14a7f2c30c2eb9f15f32e3e43585ff0974a8e51cad3a32396a2eb29
500241e1d85aa91a80977c632488a2713e0e6eba77525e3373f267c3e0e5e5dd
01cc67fc18e6ecbc3b07ffd48db13ed76f5f46072836240e77cbf66aba56959f
f99b51516719d550bdf6f21335507b4eb83accca4efccb523041672aaa7ec330
fca6c1d4e95f8cea4e7c6f16eb63f11f292af965e4ea55284f095a2ef9a7e2f5
1ffe8aa3556f0095079a54a21b603987dc12a29ff1c2851600f0ebf3acd14f8e
27f98c163a61c64b9d02b780ecb06f45c7bb47d07c7b830491c7f6eea39b2e07
9c8174e9371bdafd240be5f789e41e6b7d9b57553be2967d70ad001ae0cf1c32
ac52113e0860d495dceaa83c9f9b83d0263e9e8bf7bdbeb05d710287983d2497
9027995cb652dafdfd860fe0019a3e60817530e46d7f6d8d8640f9241f625ef8
f922f6da9231801f5b01d8750a3b13444508e089ee1745cb617450f6ff541371
372d9f066620aa4050d10aabe89417d5d028c3fe0de5bc62bee864b1f2b18dfd
9497a6407022418a93270934e2fd3d44a5dedbf253320731397fae78949be309
113110be82acb7cb2ab34a08a27eccba3c4ec6ddaf06e8ca1c50fd343197a7a7
Domains
mail.privateemail.com
smtp.yandex.ru
smtp.gmail.com
smtp.mail.ru
smtpout.secureserver.net
smtp.yandex.com
us2.smtp.mailhostbox.com
smtp.vivaldi.net
smtp.privateemail.com
smtp.stcable.net
mail.alfalahchemicals.com
mail.bestelectricpanels.com
mail.prinutrition.com
posta.ni.net.tr
samsung-tv.buzz
mail.sienkakupeste.com
mail.istanbulcannakliyat.com
mail.parkhotelizmir.com
mail.irw.com.br
mail.absheron-sharab.az
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 172
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 535
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3736
comments 0

What is Snake malware

Snake is a modular infostealer and keylogger that was initially discovered in November 2020. Developed using the .Net programming language, it exhibits similarities with the AgentTesla, Formbook, and Matiex malware families, particularly in its staging mechanism.

Snake poses a significant risk to privacy due to its ability to exfiltrate a broad range of data. Its capabilities include:

  • Keyboard capturing
  • Clipboard hijacking
  • Credential theft
  • Screen recording

Snake is capable of stealing credentials from over 50 applications, including popular web browsers and file transfer clients, such as FileZilla. Notably, this malware is also able to steal wireless network profiles.

This keylogger is also notable due to its ability to exfiltrate that data through multiple protocols: FTP, SMTP, and Telegram.

Additionally, Snake collects system information including the hardware configuration, name, and operating system version of the infected machine.

Utilizing the system's IP address and date-time information, it identifies the geolocation of the machine it operates on. Some Snake samples, though not all, use this data to activate a kill switch. Such behavior is common for malware originating from the ex-USSR region, typically avoiding targets within nearby countries.

The threat of Snake infection is not confined to specific industries or geographical areas. According to some reports, it has the potential to infect all major platforms, including Windows, Linux, and more recently, MacOS. In addition, Snake is a highly popular malware — it often competes with AgentTesla for the top spot of various charts.

Snake is readily available as a Malware-as-a-Service on underground forums, with pricing options that range from 25 to 500 USD.

This infostealer comes equipped with anti-evasion capabilities. In some samples, its downloader component was found to sleep for a period of time to evade automatic sandboxes. It can also terminate processes related to AV and network analysis tools, such as Avast and Wireshark.

Upon completing the initial process, Snake secures its persistence by duplicating itself into the AppData folder under a random name, generating a scheduled task configuration within a temporary directory, and initiating a scheduled task. What’s more, it possesses the ability to self-delete from the system post data exfiltration, employing a deletion command with a 3-second timer.

Snake keylogger execution process

As a typical stealer, Snake keylogger doesn't produce a lot of noticeable activity, which makes its detection potentially tricky. However, once it's established on an infected machine, it may increase its activity — capturing more data and sending it to the command-and-control server.

In the majority of Snake versions, a single process is responsible for all malicious activities, which include stealing data from the compromised system. In the specific sample of Snake we've analyzed, this process was identified as arinzehfkd685371.exe.

snake keylogger main process

arinzehfkd685371.exe process details

The Snake malware uses a variety of tactics and techniques, as illustrated in the Mitre ATT&CK Matrix. Key strategies include:

  • exploiting client vulnerabilities for initial access
  • extracting credentials from files and password stores
  • querying the system registry
  • and collecting local emails.

It also uses tool transfers and mail protocols for command, control, and exfiltration purposes. Notably, a significant proportion of events (270) involved stealing credentials from files.

snake keylogger ATT&CK Matrix

The Mitre ATT&CK Matrix for Snake malware

During the analysis, ANY.RUN cloud interactive sandbox was able to retrieve Snake’s config automatically. The displayed configuration reveals the DES encryption key and the SMTP credentials used for data exfiltration.

snake keylogger configuration

Snake keylogger malware configuration

Network monitoring tools can use this SMTP information for detection, potentially flagging or blocking traffic associated with the host or email addresses.

Read a detailed analysis of Snake Keylogger in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of Snake malware

As is common with Malware-as-a-Service families, Snake is distributed through mass email phishing campaigns and targeted spearphishing. It is known to arrive via infected Microsoft Office documents or PDFs, typically embedded in payment-related messages.

Upon the user extracting the executable, it proceeds to decode and decrypt the base-64 payload, which is contained within a string variable.

Users are recommended to remain vigilant when downloading payment receipts or any documents from unfamiliar senders. Key signs of phishing attempts to look out for include poor grammar, manipulative messaging, and an unusually high number of typos for a professional email.

Snake malware conclusions

In closing, Snake is a powerful infostealer and keylogger that targets various industries and platforms, capable of extracting a wide range of data. Its sandbox evasion capabilities only add to the challenge of detection and analysis.

Try analyzing Snake in ANY.RUN. Create a free account using your business email to try out our interactive cloud malware sandbox.

HAVE A LOOK AT

Mamba 2FA screenshot
Mamba 2FA
mamba
Mamba 2FA is an advanced phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) and target Microsoft 365 accounts. It focuses on intercepting authentication flows in real-time and enables threat actors to hijack user sessions and access sensitive systems even when additional security measures are in place.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Chaos Ransomware screenshot
Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques.
Read More
Cerber screenshot
Cerber
cerber
Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.
Read More
Wshrat screenshot
Wshrat
wshrat rat trojan
WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild.
Read More