Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

WhiteSnake

121
Global rank
116 infographic chevron month
Month rank
94 infographic chevron week
Week rank
0
IOCs

WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.

Stealer
Type
Unknown
Origin
1 September, 2023
First seen
24 March, 2025
Last seen

How to analyze WhiteSnake with ANY.RUN

Type
Unknown
Origin
1 September, 2023
First seen
24 March, 2025
Last seen

IOCs

IP addresses
95.216.147.179
101.132.223.26
18.228.80.130
45.82.65.63
8.134.71.132
206.189.109.146
167.99.138.249
107.161.20.142
192.99.196.191
46.4.73.118
44.228.161.50
47.110.140.182
5.78.68.6
168.138.211.88
129.151.109.160
47.96.78.224
81.187.79.8
104.238.189.120
216.39.242.18
164.132.115.9
Domains
traffik-filtrados.info
vosn.at
Last Seen at
Last Seen at

Recent blog posts

post image
TI Lookup Named Best Threat Intelligence Serv...
watchers 384
comments 0
post image
Decoding a Malware Analyst: Essential Skills...
watchers 444
comments 0
post image
Expose Android Malware in Seconds: ANY.RUN Sa...
watchers 3022
comments 0

What is WhiteSnake malware?

WhiteSnake is a stealer malware whose activity was first observed in early 2023. This malware is designed to infiltrate computer systems and exfiltrate a variety of sensitive information to the attacker’s servers, including saved passwords, autofill information, and browsing history.

WhiteSnake operates as a malware-as-a-service (MaaS), a business model where the developers offer the malware to other cybercriminals for a fee. In the case of WhiteSnake, the developers provide a subscription service for several hundred dollars.

According to the threat intelligence researcher @RussianPanda9xx, the malware’s notable feature is the support of different payload formats like BAT, MSI, SCR, etc.

The distribution and sale of WhiteSnake primarily occurs on DarkWeb forums and Telegram. The availability of the malware contributes to its spread and increases its potential impact.

WhiteSnake has been distributed through various vectors like phishing campaigns, where unsuspecting users are tricked into downloading the malware, and even through open-source repositories.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

WhiteSnake malware execution process

Let’s upload a sample of WhiteSnake to the ANY.RUN sandbox.

WhiteSnake analysis in ANY.RUN WhiteSnake analysis in ANY.RUN sandbox

WhiteSnake first performs anti-VM checks to detect if it is running in a virtual environment or sandbox. It does this by querying the Windows Management Instrumentation (WMI) to retrieve the "Manufacturer" and "Model" properties of the system. It then checks if any of these properties contain strings associated with virtual machines or sandboxes, such as "virtual," "vmware," "virtualbox," etc. If any of these strings are detected, the malware will exit to avoid analysis.

WhiteSnake process graph in ANY.RUN WhiteSnake process graph demonstrated by ANY.RUN sandbox

The malware in our task performs system discovery and uses the command line to display information about available Wi-Fi networks, including SSID, BSSID, and signal strength. It also checks if a mutex (a synchronization object) is already present to prevent multiple instances of the malware from running simultaneously. In our sample, the mutex is "lcy9igxycx."

Then WhiteSnake proceeds to gather sensitive information from the infected system. This includes:

  • Browsing data (cookies, autofill, login data, history, etc.) from various web browsers like Chrome, Firefox, Edge, etc.
  • Cryptocurrency wallet data from popular wallets like Ledger, Atomic, Wasabi, Binance, etc.
  • Cryptocurrency browser extension data from extensions like MetaMask, Ronin, Binance Chain, etc.
  • Other system information like username, computer name, etc.

The gathered information is then encrypted and uploaded to one of the attacker-controlled servers specified in the malware's configuration.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

WhiteSnake stealer technical details

Let’s sum up what the WhiteSnake stealer is capable of. Thanks to its remote command execution functionality. attackers can remotely control the infected system and perform various malicious activities that include:

  • Pulling data from browsers, including Chrome and Firefox, and File Transfer Protocol (FTP) clients.
  • Taking screenshots of the infected system, providing attackers with visual information about the user's activities.
  • Recording audio using the machine's microphone.
  • Taking shots using the web camera.
  • Capturing victims’ keystrokes, which lets attackers discover their login credentials, credit card numbers, and other sensitive information entered by the user.
  • Stealing dozens of crypto wallets, including popular extensions like MetaMask and Phantom, and desktop wallets like Exodus.

One of the key features of this malware is its use of mutex to avoid running on systems that have already been infected. This helps prevent detection and conflict with other instances of the malware.

It is also designed to avoid analysis in a sandbox or virtual machine. The malware includes anti-VM functionality that allows it to detect when it is running in a virtual environment and stop its operation.

WhiteSnake can maintain persistence on the infected system. It automatically runs via a scheduled task, ensuring that it remains active even after the system is restarted.

WhiteSnake malware distribution methods

As mentioned, WhiteSnake is distributed through various methods. However, as with most stealers, including Stealc and Amadey, phishing emails with malicious attachments and links constitute the most widespread vector of attack. In one campaign, criminals leveraged fake documents masquerading as official correspondence from a government agency.

In another attack, threat actors attempted to spread the WhiteSnake stealer through the open-source Python Package Index repository. Attackers uploaded malicious code hoping it would be downloaded and executed by unsuspecting users.

Given that WhiteSnake is a MaaS, available for purchase to various criminals, it is likely that new methods of distributing this threat will be used by criminals in the future.

Conclusion

WhiteSnake is a relatively new but serious cybersecurity threat for organizations worldwide. To prevent infection, it's important to have good security measures in place. One important part of a strong security plan is using a malware analysis sandbox.

ANY.RUN’s interactive sandbox has many features that make analyzing malware easier and faster. It can:

  • Identify threats in files and URLs in less than 40 seconds.
  • Let you interact with samples and the system, just like on a regular computer.
  • Give you customizable Windows and Linux virtual machines to fit your needs.
  • Create detailed reports that explain the threats that were found.
  • Show all activities related to the network, registry, files, and processes.

Create your FREE ANY.RUN account today!

HAVE A LOOK AT

Backdoor screenshot
Backdoor
backdoor
A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.
Read More
zgRAT screenshot
zgRAT
zgrat
zgRAT is a malware known for its ability to infect systems and exfiltrate sensitive data to command-and-control (C2) servers. It is primarily distributed through loader malware, as well as phishing emails. zgRAT employs various advanced techniques, including process injection and code obfuscation, to evade detection and maintain persistence on infected systems. The malware can also spread via USB drives and uses popular messaging platforms like Telegram and Discord for data exfiltration.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
SSLoad screenshot
SSLoad
ssload
SSLoad is a malicious loader or downloader that is used to infiltrate target systems through phishing emails, perform reconnaissance and transmit it back to its operators delivering malicious payloads. To avoid detection, SSLoad employs various encryption methods and delivery techniques highlighting its versatile nature and complexity. It is believed to be a part of Malware-as-a-Service (MaaS) operation given its diverse delivery methods and implemented techniques.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More