Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Snake

77
Global rank
122 infographic chevron month
Month rank
111 infographic chevron week
Week rank
0
IOCs

Snake is a modular keylogger written in .NET. Adversaries use this malware to exfiltrate confidential data, such as keystrokes, screen captures, and login credentials.

Keylogger
Type
Ex-USSR
Origin
15 August, 2019
First seen
29 March, 2022
Last seen
Also known as
404 Keylogger
404KeyLogger
Snake Keylogger

How to analyze Snake with ANY.RUN

Type
Ex-USSR
Origin
15 August, 2019
First seen
29 March, 2022
Last seen

IOCs

IP addresses
31.210.74.53
Domains
smtp.yandex.com
us2.smtp.mailhostbox.com
smtp.privateemail.com
mail.stilltech.ro
mail.privateemail.com
smtp.yandex.ru
mail.skyshine.com.my
mail.bhungar.com
mail.rinc.in
smtp.gmail.com
mail.prinutrition.com
smtp.mail.ru
cp5ua.hyperhost.ua
smtp.ionos.mx
mail.valleycountysar.org
mail.saadzakhary.com
mail.activeshipping.com
smtp.vivaldi.net
mail.yezinsaat.com.tr
mail.nclanka.lk
Last Seen at

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 4958
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 680
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 557
comments 0

What is Snake malware

Snake is a modular infostealer and keylogger that was initially discovered in November 2020. Developed using the .Net programming language, it exhibits similarities with the AgentTesla, Formbook, and Matiex malware families, particularly in its staging mechanism.

Snake poses a significant risk to privacy due to its ability to exfiltrate a broad range of data. Its capabilities include:

  • Keyboard capturing
  • Clipboard hijacking
  • Credential theft
  • Screen recording

Snake is capable of stealing credentials from over 50 applications, including popular web browsers and file transfer clients, such as FileZilla. Notably, this malware is also able to steal wireless network profiles.

This keylogger is also notable due to its ability to exfiltrate that data through multiple protocols: FTP, SMTP, and Telegram.

Additionally, Snake collects system information including the hardware configuration, name, and operating system version of the infected machine.

Utilizing the system's IP address and date-time information, it identifies the geolocation of the machine it operates on. Some Snake samples, though not all, use this data to activate a kill switch. Such behavior is common for malware originating from the ex-USSR region, typically avoiding targets within nearby countries.

The threat of Snake infection is not confined to specific industries or geographical areas. According to some reports, it has the potential to infect all major platforms, including Windows, Linux, and more recently, MacOS. In addition, Snake is a highly popular malware — it often competes with AgentTesla for the top spot of various charts.

Snake is readily available as a Malware-as-a-Service on underground forums, with pricing options that range from 25 to 500 USD.

This infostealer comes equipped with anti-evasion capabilities. In some samples, its downloader component was found to sleep for a period of time to evade automatic sandboxes. It can also terminate processes related to AV and network analysis tools, such as Avast and Wireshark.

Upon completing the initial process, Snake secures its persistence by duplicating itself into the AppData folder under a random name, generating a scheduled task configuration within a temporary directory, and initiating a scheduled task. What’s more, it possesses the ability to self-delete from the system post data exfiltration, employing a deletion command with a 3-second timer.

Snake keylogger execution process

As a typical stealer, Snake keylogger doesn't produce a lot of noticeable activity, which makes its detection potentially tricky. However, once it's established on an infected machine, it may increase its activity — capturing more data and sending it to the command-and-control server.

In the majority of Snake versions, a single process is responsible for all malicious activities, which include stealing data from the compromised system. In the specific sample of Snake we've analyzed, this process was identified as arinzehfkd685371.exe.

snake keylogger main process

arinzehfkd685371.exe process details

The Snake malware uses a variety of tactics and techniques, as illustrated in the Mitre ATT&CK Matrix. Key strategies include:

  • exploiting client vulnerabilities for initial access
  • extracting credentials from files and password stores
  • querying the system registry
  • and collecting local emails.

It also uses tool transfers and mail protocols for command, control, and exfiltration purposes. Notably, a significant proportion of events (270) involved stealing credentials from files.

snake keylogger ATT&CK Matrix

The Mitre ATT&CK Matrix for Snake malware

During the analysis, ANY.RUN cloud interactive sandbox was able to retrieve Snake’s config automatically. The displayed configuration reveals the DES encryption key and the SMTP credentials used for data exfiltration.

snake keylogger configuration

Snake keylogger malware configuration

Network monitoring tools can use this SMTP information for detection, potentially flagging or blocking traffic associated with the host or email addresses.

Read a detailed analysis of Snake Keylogger in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of Snake malware

As is common with Malware-as-a-Service families, Snake is distributed through mass email phishing campaigns and targeted spearphishing. It is known to arrive via infected Microsoft Office documents or PDFs, typically embedded in payment-related messages.

Upon the user extracting the executable, it proceeds to decode and decrypt the base-64 payload, which is contained within a string variable.

Users are recommended to remain vigilant when downloading payment receipts or any documents from unfamiliar senders. Key signs of phishing attempts to look out for include poor grammar, manipulative messaging, and an unusually high number of typos for a professional email.

Snake malware conclusions

In closing, Snake is a powerful infostealer and keylogger that targets various industries and platforms, capable of extracting a wide range of data. Its sandbox evasion capabilities only add to the challenge of detection and analysis.

Try analyzing Snake in ANY.RUN. Create a free account using your business email to try out our interactive cloud malware sandbox.

HAVE A LOOK AT

StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More