𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲
James_inthe_box#snakekeylogger at:
https://intesmak\.com/obitwo
c2: https://api.telegram\.org/bot8099843793:AAGeYKMLti1IpyT9o6bz7OtgdXF9md25uXA
@james_inthe_box https://bazaar.abuse.ch/browse/tag/158.94.211.63/
Been a while since I've seen a bundle:
https://app.any.run/tasks/854ff7f7-2165-4d69-8390-cd374c19b570
https://api.telegram\.org/bot8344787963 on the #snakekeylogger
CyberVeille.ch📢 SnakeKeylogger : analyse et règles Suricata pour détecter l’exfiltration SMTP encodée en Base64
📝 Source : Trustwave (SpiderLabs Blog)...
📖 cyberveille : https://cyberveille.ch/posts/2025-08-15-snakekeylogger-analyse-et-regles-suricata-pour-detecter-lexfiltration-smtp-encodee-en-base64/
🌐 source : https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-researchers-collect-indicators-of-compromise/
#Base64 #SnakeKeylogger #Cyberveille
📝 Source : Trustwave (SpiderLabs Blog)...
📖 cyberveille : https://cyberveille.ch/posts/2025-08-15-snakekeylogger-analyse-et-regles-suricata-pour-detecter-lexfiltration-smtp-encodee-en-base64/
🌐 source : https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-researchers-collect-indicators-of-compromise/
#Base64 #SnakeKeylogger #Cyberveille
SnakeKeylogger : analyse et règles Suricata pour détecter l’exfiltration SMTP encodée en Base64
Source : Trustwave (SpiderLabs Blog). Dans cette publication, des chercheurs présentent une méthodologie complète pour analyser le malware SnakeKeylogger et élaborer des signatures de détection efficaces. Ils montrent comment le code malveillant contourne des règles existantes en encodant en Base64 des données exfiltrées via SMTP, et proposent un flux de travail pratique pour collecter des IOC et affiner continuellement les signatures. 🔬 Comportement réseau et évasion : l’analyse met en évidence des connexions vers des IP malveillantes sur les ports 80, 443 et 587, et l’usage de l’encodage Base64 dans le trafic SMTP afin de contourner les règles de détection.
ANY.RUN🚨 Control-Flow Flattening Obfuscated #JavaScript Drops #SnakeKeylogger.
The #malware uses layered obfuscation to hide execution logic and evade traditional detection.
⚠️ Our data shows banking is the most affected sector among our users, nearly matching all the other industries combined. As part of widespread #MaaS #phishing campaigns, Snake targets high-value industries including fintech, healthcare, and energy, making instant threat visibility and behavioral analysis essential.
🔗 Execution chain:
Obfuscated JS ➡️ ScriptRunner.exe ➡️ EXE ➡️ CMD ➡️ extrac32.exe ➡️ PING delay ➡️ Snake
The attack begins with a loader using control-flow flattening (#MITRE T1027.010) to obscure its logic behind nested while-loops and string shifts.
👾 The loader uses COM automation via WshShell3, avoiding direct #PowerShell or CMD calls and bypassing common detection rules.
❗️ Obfuscated CMD scripts include non-ASCII (Japanese) characters and environment variables like %…%, further complicating static and dynamic analysis.
Two CMD scripts are dropped into ProgramData to prepare the execution environment. This stage involves #LOLBAS abuse: legitimate DLLs are copied from SysWOW64 into “/Windows /” and Public directories. The operation is performed using extrac32.exe, known #LOLBin and JS script functionality. This combination helps bypass detection by imitating trusted system behavior.
📌 Persistence is established by creating a Run registry key pointing to a .url file containing the execution path.
🐍 Snake is launched after a short delay using a PING, staggering execution.
👨💻 See execution on a live system and download actionable report:
https://app.any.run/tasks/0d53bef9-c623-4c2f-9ce9-f1d3d05d21f3/?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_term=240725&utm_content=linktoservice
Explore #ANYRUN’s threat database to proactively hunt for similar threats and techniques and improve the precision and efficiency of your organization's security response:
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522commandLine:%255C%2522extrac32*.dll*.%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522commandLine:%255C%2522%255C%255C%255C%255CWindows%2520%255C%255C%255C%255C%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522commandLine:%255C%2522ping%2520%2520127.0.0.1%2520-n%252010%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522registryKey:%255C%2522%255C%255CRun$%255C%2522%2520AND%2520registryValue:%255C%2522.url$%255C%2522%2522,%2522dateRange%2522:180%7D
#IOCs:
54fcf77b7b6ca66ea4a2719b3209f18409edea8e7e7514cf85dc6bcde0745403
ae53759b1047c267da1e068d1e14822d158e045c6a81e4bf114bd9981473abbd
efd8444c42d4388251d4bc477fb712986676bc1752f30c9ad89ded67462a59a0
dbe81bbd0c3f8cb44eb45cd4d3669bd72bf95003804328d8f02417c2df49c481
183e98cd972ec4e2ff66b9503559e188a040532464ee4f979f704aa5224f4976
reallyfreegeoip[.]org
104[.]21[.]96[.]1
https[:]//reallyfreegeoip[.]org/xml/78[.]88[.]249[.]143
registryValue: Iaakcppq.url
👨💻 Gain full visibility with #ANYRUN to make faster, smarter security decisions.
ESET ResearchAfter years of dominance in #ESET’s top #infostealer statistics, the era of #AgentTesla has come to an end. It finished H1 2025 in fourth place, its numbers having decreased by 57%. The reason? It is no longer under active development.
The threat actors behind Agent Tesla have reportedly lost access to the servers with the malware’s source code. A successor appeared almost immediately – another #MaaS threat, known as #SnakeStealer or #SnakeKeylogger, has claimed the number one spot.
Recommended as a suitable replacement directly in Agent Tesla’s Telegram channel, SnakeStealer now takes up almost a fifth of all infostealer detections registered by ESET telemetry. Between H2 2024 and H1 2025, its detections more than doubled.
If you want to find out more information about this changing of the guard in the infostealer threat landscape, head on over to #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025
The threat actors behind Agent Tesla have reportedly lost access to the servers with the malware’s source code. A successor appeared almost immediately – another #MaaS threat, known as #SnakeStealer or #SnakeKeylogger, has claimed the number one spot.
Recommended as a suitable replacement directly in Agent Tesla’s Telegram channel, SnakeStealer now takes up almost a fifth of all infostealer detections registered by ESET telemetry. Between H2 2024 and H1 2025, its detections more than doubled.
If you want to find out more information about this changing of the guard in the infostealer threat landscape, head on over to #ESETThreatReport: https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025
Been seeing a spate of side-loaded dll's...usually #snakekeylogger as of late:
https://app.any.run/tasks/acf4c11a-14f6-42b5-a752-0a4557f9023e
c2: mail.alnozha-qa\.com
Infoblox Threat IntelWe have detected a recent malware campaign originating from a Türkiye IP. The campaign involved SnakeKeyLogger and XWorm, sent via emails primarily from`mail.haselayakkabi[.]com[.]tr` (SMTP IP: 45[.]144[.]214[.]104). The subject line was "<Recipient> received a new documents" with attachments like "SCS AWB and Commercial Invoice.rar" and a png of the Dropbox logo. Be cautious and stay safe!
The combination of Xworm and SnakeKeyLogger represent a significant threat to privacy, and is capable of stealing passwords, recording keystrokes, and exfiltrating the data using SMTP and telegram.
Malware Analysis: https://tria.ge/250205-bqhf9stndn
Stay vigilant, everyone! 💻🔒
#malware #snakekeylogger #xworm #phishing #dns #mastodon #threatintel #cybercrime #threatintelligence #cybersecurity #infosec #infoblox #infobloxthreatintel
D3Lab📢 Campagne #Malware #Italy - Week 52 🚨
☣️👻💣☠️
#Formbook: Ordine
#Lumma: Fake OpenAI
#SnakeKeylogger: Fattura
#Astaroth: Fattura
#AgentTesla: Booking
