Threat Research

Reverse Engineering Snake Keylogger: Full .NET Malware Analysis

AnyRun

This article is a step-by-step reverse-engineering walkthrough of a multi-stage .NET Snake Keylogger that uses embedded resources, steganography, sorting/reassembly, and heavy obfuscation to load and execute its payload. The author documents deobfuscation, configuration decryption (DES with an MD5-derived key), credential- and token-stealing (browsers, Discord), anti-analysis checks, process-killing, and exfiltration via SMTP/FTP/Telegram. #SnakeKeylogger #ANY.RUN

Keypoints

  • Sample is multi-stage (.exe -> Aads.dll -> Tyrone.dll -> final EXE) where each stage is embedded, decrypted, and loaded in-memory via Assembly.Load/Activator.CreateInstance.
  • Payloads are hidden using steganography (noisy image resources) and reassembled using byte-array searching, sorting (heap/quick sort) and rearrangement to reconstruct PE headers (“MZ”, “PE”).
  • Heavily obfuscated VB/.NET code and junk application logic (Airplane/Pandemic simulations) are used to mislead analysts; deobfuscation was performed with .NET Reactor Slayer and manual renaming in dnSpy.
  • Malware configuration (SMTP/credentials) is encrypted: Base64(DES-ECB(decrypted using first 8 bytes of MD5(“…key string…”))). The article includes Python code for decrypting/encrypting these values.
  • Main infostealer features: browser credential extraction (Chrome/Edge Login Data SQLite), Discord tokens (LevelDB), screenshots, clipboard capture, and a keylogger capturing KeyDown/KeyUp events.
  • Exfiltration supported via SMTP (MailMessage + smtpClient.Send), FTP, or Telegram API; this sample used SMTP with hardcoded, encrypted SMTP credentials.
  • Anti-analysis and defense-evasion: checks connectivity and self-deletes, moves to Temp, and kills security/monitoring processes; the author demonstrates safe modding to disable these behaviors for analysis.

MITRE Techniques

  • [T1620] Reflective Code Loading – Loads decrypted binary data as an assembly into memory using “Assembly.Load(data2)” and starts it with “Activator.CreateInstance(type, args)” ([… “Assembly.Load(data2)” …]).
  • [T1027.003] Steganography – Hides stage payload inside a noisy bitmap resource and extracts byte data from resource “ivmsL” to reconstruct a PE (“…the steganography image “ivmsL” that is used in GetObject()”).
  • [T1027] Obfuscated Files or Information – Uses heavy code obfuscation, meaningless class/method names and junk application logic (Airplane/Pandemic simulations) to hamper analysis (“…a bunch of irrelevant code related to an ‘Airplane Travelling’ application”).
  • [T1555.002] Credentials from Web Browsers – Reads browser SQLite “Login Data” files (Chrome/Edge paths) to harvest saved credentials (“…GoogleChromeUser DataDefaultLogin Data” / “MicrosoftEdgeUser DataDefaultLogin Data”).
  • [T1056.001] Keylogging – Implements a keylogger by monitoring KeyDown/KeyUp events to capture keystrokes (“…monitors keystrokes with the event handler for the KeyDown and KeyUp event”).
  • [T1562.001] Impair Defenses: Disable or Modify Security Tools – Searches for and kills processes related to AV, debuggers and network monitors (Norton, Kaspersky/Avp, Wireshark, OllyDbg, etc.) (“…searches and kills processes related to security and monitoring”).
  • [T1070.004] Indicator Removal on Host: File Deletion – Performs self-deletion after execution as an anti-analysis/cleanup step (“…Self-Deletion after execution” / “The code responsible for self-deletion is commented out”).
  • [T1041] Exfiltration Over Command and Control Channel – Sends stolen data out of the victim via SMTP (MailMessage + smtpClient.Send), FTP upload, or Telegram API requests (“…exfiltrate all this collected information, via FTP, SMTP, or Telegram”).

Indicators of Compromise

  • [File name] sample and stages – pago 4094.exe, lfwhUWZlmFnGhDYPudAJ.exe (final payload)
  • [File name / module] in-memory modules – Aads.dll, Tyrone.dll (stages extracted and saved during analysis)
  • [SHA1] stage hashes – A663C9ECF8F488D6E07B892165AE0A3712B0E91F (pago 4094.exe), 86BE2A34EACBC0806DBD61D41B9D83A65AEF69C5 (lfwhUWZlmFnGhDYPudAJ.exe)
  • [MD5] example hashes – 1A0F4CC0513F1B56FEF01C815410C6EA (pago 4094.exe), BDEF67C31299A3D0C10E3608C7EE2BDB (lfwhUWZlmFnGhDYPudAJ.exe)
  • [Resource names] embedded resources used for reassembly/steganography – “Grab”, “ivmsL”, “wHzyWQnRZ”
  • [Encrypted config strings] Base64 DES-ECB config examples – “I22WW+qzjWDd9uzIPosYRadxnZcjebFO”, “MrZp4p9eSu2QFqjr3GQpbw==”, and other encrypted fields

During analysis the author prepared an isolated Windows .NET debugging environment, opened the 32-bit sample in dnSpy, set breakpoints at resource-decode points, and stepped through the decryption/reassembly logic to extract each stage. The 4-stage chain works by reading a resource (GetObject(“Grab”) / image resources like “ivmsL”), decrypting or rearranging its bytes (for-loops and sorts) until the byte array begins with “MZ” and can be loaded with Assembly.Load; each loaded module was saved (Aads.dll, Tyrone.dll) and inspected in dnSpy to find the next resource pointer. The configuration in Class6 is DES-ECB-encrypted after Base64 and uses the first 8 bytes of MD5(“BsrOkyiChvpfhA…”) as the DES key; the article provides Python code to decrypt and re-encrypt these SMTP/credential fields.

The final executable contains the infostealer and exfiltration logic: it moves (original sample can move) to Temp (modifiable), enumerates browser/app storage (Chrome/Edge Login Data SQLite, Discord LevelDB), captures screenshots and clipboard contents, and hooks KeyDown/KeyUp events for keystrokes. Exfiltration options include SMTP (MailMessage + smtpClient.Send using decrypted SMTP config), FTP upload, or sending via Telegram API; hard-coded credentials in the config determine the channel. The author documents deobfuscation steps (NET Reactor Slayer, manual renaming), how steganography and byte-array sorting (heapsort/quicksort) were used to assemble stages, and how to safely mod the sample to disable connectivity checks, prevent self-deletion, and write stolen data locally to observe behavior in a sandbox.

For practical reuse, the article includes working Python snippets: a DES-ECB decrypt/encrypt pair that derives an 8-byte key from MD5 of the hardcoded string, example calls that reveal the SMTP sender/receiver, server and port, and demonstrates how to replace those encrypted values to point exfiltration to a throwaway Outlook account; it also documents safe changes (commenting-out connectivity checks/self-delete/move-to-Temp) and visual indicators (set desktop background, save “Passwords.txt”/”User.txt”) to confirm successful execution during analysis.

Read more: https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint