Snake Keylogger is a .NET Trojan Stealer that blends credential theft, keylogging, and data exfiltration with reconnaissance and persistence capabilities. It uses multiple C2 channels (FTP, SMTP, Telegram) to discreetly transmit stolen data, increasing operational flexibility and evasion. #SnakeKeylogger #SnakeKeyloggerLoader
Keypoints
- Snake Keylogger combines keystroke logging, credential harvesting, clipboard data collection, and screenshots with system and network reconnaissance.
- It exfiltrates data via multiple C2 channels (FTP, SMTP, Telegram) to reduce single-point failure and enhance stealth.
- The loader uses .RSRC data entries to conceal an AES-encrypted payload, with a RUNPE injector launching the main Snake Keylogger.
- Obfuscation and layered loaders impede static analysis and sandbox detection.
- Persistence is achieved through Registry Run Keys, while defense evasion includes a kill-switch anti-sandbox check and termination of security-related processes.
- Credential access covers browsers (T1555.003), Outlook registry data, clipboard, screen capture, and keylogging (T1056.001, T1114, T1115, T1113).
MITRE Techniques
- [T1027] Obfuscated/Compressed Files and Information – Snake Keylogger uses obfuscation to hide code and AES-encrypted payloads in resources. “utilizing a variety of cryptors or loaders to obfuscate its code and evade detection by sandboxes.”
- [T1055] Process Injection – RUNPE injector module launches the actual SnakeKeylogger after decryption. “‘RUNPE injector module and the authentic Snake Keylogger malware.’”
- [T1082] System Information Discovery – “Snake Keylogger gathers system information from compromised hosts, including details such as the operating system version, RAM size, and hard disk drive information.”
- [T1614] System Location Discovery – “retrieving the IP address of the compromised host by querying a public web service” and geo-location data from public services.
- [T1547.001] Registry Run Keys – “employs registry run keys to establish persistence on the compromised host.”
- [T1562.001] Impair Defenses – Kill Switch anti-sandbox mechanism that terminates if build date is before current date. “‘Kill Switch’ mechanism… anti-sandbox technique…”
- [T1497] Virtualization/Sandbox Evasion – uses sandbox/virtualization checks as part of anti-analysis measures. “‘anti-sandbox technique’ … reverse engineering or unpacking the SnakeKeylogger adds complexity.”
- [T1041] Exfiltration Over C2 Channel – Three C2 servers for data exfiltration (FTP, SMTP, Telegram). “‘three distinct C2 servers for data exfiltration: FTP, SMTP, and Telegram.’”
- [T1016] System Network Configuration Discovery – “Windows Gather Victim Network Info Through Ip Check Web Services” to identify network parameters.
- [T1114] Email Collection – “Outlook profile information by querying into the system registry.”‘
- [T1115] Clipboard Data – “Clipboard Data – Snake Keylogger captures data stored in the clipboard.”
- [T1113] Screen Capture – “Screen Capture – takes screenshots saved as ‘Screenshot.jpg’.”
- [T1056.001] Keylogging – “Keylogging … covertly records every keystroke.”
- [T1555.003] Credentials from Web Browsers – targets multiple browsers/IM apps to steal credentials.
Indicators of Compromise
- [Hashes] 0dd188237a562417f239ff9be662f9336ec77a0906af62c26516a8e6f767f9f5, 80e12c2425ec7b8aa8913df82bd47c0c1a62f6539df22b6bf1ddab8b1694e3e8 – SnakeKeylogger
- [URLs/Domains] https://checkip.dyndns.org, https://reallygeoip.org – used for IP discovery and geolocation
- [Files] Screenshot.jpg – screenshot captured and saved in the user’s documents folder
- [Process] choice.exe – used to prompt user choices and introduce a time delay before cleanup