MalwareBazaar | Checking your browser

@james_inthe_box https://bazaar.abuse.ch/browse/tag/158.94.211.63/

#snakekeylogger at:

https://intesmak\\.com/obitwo

c2: api.telegram\\.org/bot8099843793:AAGeYKMLti...

Beware of #SnakeKeylogger phishing emails impersonating financial institutions. They use PowerShell scripts to steal sensitive data. Stay vigilant and educate your team. #CyberSecurity #PhishingAlert Link: thedailytechfeed.com/snakekeylogg...

Analysis Quotation.exe (MD5: 899BE63B33046D462FBD58BBD9E40CEB) Malicious activity - Interactive analysis ANY.RUN Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Been a while since I've seen a bundle:

app.any.run/tasks/854ff7f7-2165-4d69...

#remcos #rat #snakekeylogger

https://api.telegram\\.org/bot8344787963 on the #snakekeylogger

July 2025 Threat Report

~Anyrun~
Campaigns use obfuscated .LNK files and fake installers to deliver stealers like DeerStealer and Snake Keylogger.
-
IOCs: tripplefury. com, reallyfreegeoip. org, 104. 21. 96. 1
-
#DeerStealer #Malware #SnakeKeylogger #ThreatIntel

The threat actors behind Agent Tesla have reportedly lost access to the servers with the malware’s source code. A successor appeared almost immediately – another #MaaS threat, known as #SnakeStealer or #SnakeKeylogger, has claimed the number one spot. 2/4

Been seeing a spate of side-loaded dll's...usually #snakekeylogger as of late:

app.any.run/tasks/acf4c11a-14f6-42b5...

Recently, AhnLab SEcurity intelligence Center (ASEC) has identified cases of the ModiLoader (DBatLoader) malware being distributed via email. ModiLoader ultimately executes SnakeKeylogger. SnakeKeylogger is an Infostealer-type malware developed in .NET. It is known for its data exfiltration methods using emails, FTP, SMTP, or Telegram. Figure 1 shows the email being distributed. The email is written in Turkish and is being distributed by impersonating a Turkish bank. Users are prompted to open the malicious attachment to check their transaction history. The compressed file contains the BAT malware shown in Figure 2. Figure 1. Email body Figure 2. Inside the rar compressed file (bat file) Figure 3 shows the BAT code creating and executing the DBatLoader malware (x.exe) encoded in Base64 in the %temp% directory. Figure 4 is the image of the created DBatLoader malware (x.exe). Figure 3. Main part of the bat script (creating and executing x.exe) Figure 4. x.exe (DBatLoader) created in the Temp directory Figures 5 and 6 show the obfuscated and decrypted forms of three bat scripts (5696.cmd, 8641.cmd, neo.cmd) executed by DBatLoader (x.exe). DBatLoader uses these bat scripts and files such as svchost.pif, netutils.dll, and wxiygomE.pif to achieve its attack goals of evading detection and executing keyloggers. Figure 5. DBatLoader executing the obfuscated bat script Figure 6. DBatLoader decrypting the bat script # # Attack Process ## 1. Evasion of Detection Figure 7 is the 8641.cmd script of the bat script. The Esentutl command is used to copy cmd.exe as alpha.pif. The mkdir command is then used to create a folder (Windows \SysWow64) including a space in its name to disguise it as a legitimate path. Figure 7. Functions of 8641.cmd DBatLoader (x.exe) creates a program with the disguised name svchost.pif in the Windows \SysWow64 directory. As shown in Figure 8, this program has the same name as the legitimate process easinvoker.exe, and an malicious netutils.dll is created in the same directory to perform DLL side-loading. As a result, the legitimate easinvoker.exe process exhibits malicious behavior. Figure 9 shows the decrypted 5696.cmd script. The script executes svchost.pif to load the malicious netutils.dll as a side-loaded DLL. It then uses the ping command to introduce a 10-second delay before deleting the malicious netutils.dll file. Figure 10 shows the functions of the malicious netutils.dll, which involves decoding encoded commands to execute a command that runs the neo.cmd file. Figure 8. Legitimate program (easinvoker.exe) with the file name disguised as svchost.pif Figure 9. Functions of 5696.cmd Figure 10. Functions of manipulated netutils.dll (executing neo.cmd) [Figure 11] shows the contents of the neo.cmd script, which uses the extrac32 command to copy powershell.exe under the name xkn.pif. Through a command executed on xkn.pif (powershell.exe), subdirectories under “C:” are added to Windows Defender’s exclusion paths, achieving the goal of bypassing detection. Figure 11. Functions of neo.cmd ## 2. Information Theft (SnakeKeyLogger) Figure 12 shows the process tree of behaviors executed from DBatLoader (x.exe). After achieving detection evasion, a file named wxiygomE.pif is created. The program is a module (loader.exe) of the legitimate mercurymail program, shown in Figure 13. Afterward, the legitimate process with a disguised name (wxiygomE.pif) is executed, and SnakeKeylogger is injected. Figure 12. Process tree of DbatLoader (x.exe) Figure 13. Normal program with a disguised file name (loader.exe) Figure 14 is the list of functions corresponding to the functions of SnakeKeylogger injected into the legitimate process (wxiygomE.pif). These include malicious functions such as exfiltrating keylogging data such as system information, keyboard inputs, and clipboard data. Figure 14. Function list of SnakeKeylogger Figure 15 corresponds to the threat actor’s configuration value in SnakeKeylogger. The configured Telegram bot token is used to transmit the exfiltrated information to the Telegram C2. Figure 15. Threat actor’s configuration for SnakeKeylogger # Conclusion The DbatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies. As it is difficult to detect the infection when targeting individuals, individual users need to be cautious and maintain a strong sense of security by being careful about initial access techniques such as executing script extensions from phishing emails and keeping their security products up-to-date to prevent such attacks. MD5 7fa27c24b89cdfb47350ecfd70e30e93 a0a35155c0daf2199215666b00b9609c URL https[:]//api[.]telegram[.]org/bot8135369946[:]AAEGf2H0ErFZIOLbSXn5AVeBr_xgB-x1Qmk/sendDocument?chat_id=7009913093 #### Tags: DBatLoader 피싱메일 PhishingEmail SnakeKeylogger

DBatLoader (ModiLoader) Being Distributed to Turkish Users Recently, AhnLab SEcurity intelligence...

https://asec.ahnlab.com/en/88025/

#Malware #Public #DBatLoader #피싱메일 #PhishingEmail #SnakeKeylogger

Result Details

#snakekeylogger

c2: mail.alnozha-qa\\.com

SnakeKeylogger: Stealthy Malware Targets Credentials in Sophisticated Attacks Uncover the threats posed by SnakeKeylogger, an advanced info-stealing malware that employs stealthy techniques to evade detection.

New #SnakeKeylogger malware emerges - uses sophisticated evasion to steal credentials from browsers, email clients, and financial apps.
Highly targeted attacks observed.
securityonline.info/snakekeylogg...

New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection links, according to security researcher Kevin Su read more about New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection

New Snake Keylogger Variant Leverages AutoIt Scripting to Evade Detection reconbee.com/new-snake-ke...

#snakekeylogger #autoltscripting #scripting #CyberSecurityAwareness #cyberattack

Evolving Snake Keylogger Variant Targets Windows Users A new Snake Keylogger variant, responsible for over 280 million blocked infection attempts worldwide, has been identified targeting Windows users

進化する Snake キーロガーの亜種が Windows ユーザーをターゲットに

Evolving Snake Keylogger Variant Targets Windows Users #InfosecurityMagazine (Feb 18)

#SnakeKeylogger #情報窃取 #フィッシング #Windowsセキュリティ #サイバー攻撃

Unit42-timely-threat-intel/2024-09-16-IOCs-for-Snake-KeyLogger.txt at main · PaloAltoNetworks/Unit42-timely-threat-intel A collection of files with indicators supporting social media posts from Palo Alto Network's Unit 42 team to disseminate timely threat intelligence. - PaloAltoNetworks/Unit42-timely-threat-intel

2024-09-16 (Monday): Saw an #infostealer calling itself "VIP Recovery" which some might call #VIPKeyLogger. Further investigation indicates it's actually #SnakeKeyLogger. Indicators and more info available at bit.ly/3XLR715 #Unit42ThreatIntel