Malware Analysis


During the research conducted by Cyberthint’s cyber threat intelligence analysts under the “cyber patrol” program, it was detected that a threat actor put this malicious software up named “WhiteSnake” for sale with the MaaS (Malware as a Service) model on a dark web forum platform.

What is WhiteSnake Stealer? / About WhiteSnake Stealer

WhiteSnake Stealer is a stealer malware sold on underground hacker/cybercrime forums, first observed in early February of 2023. It has been developed in .NET language and can run on Windows and Linux as a cross-platform.

The noteworthy point was that according to the threat actor’s announcement, the malicious software had cross-platform functionality.

According to the details in the sales announcement, It was observed that the WhiteSnake Stealer was offered for sale with a monthly MaaS fee of $120, an annual fee of $900, and a lifetime fee of $1,500.

Threat Identifiers

Threat TypeInfoStealer
DetectionsVirusTotal (58/70)
SymptomsIt operates covertly on the system it runs on and continues its malicious activities. It cannot be detected on the system unless it is caught by an antivirus or a detailed incident analysis is performed on it.
Distribition MethodsThrough macro-enabled email attachments, visited malicious websites, and software vulnerabilities, the malware can infect the devices of its victims.
DamageIt allows the threat actor to steal sensitive information such as browser passwords, cryptocurrency wallets and service accounts.

WhiteSnake Stealer Analysis and Findings

Static Analysis

File NameWhiteSnake.exe
File Size29196 bytes
File TypeExecutable

Initially, an attempt was made to identify the programming language used to develop the malware using the Detect It Easy tool, and it was determined that it was developed with C# from Microsoft’s .NET family.

After obtaining this information, static analysis continued using dnSpy, a .NET debugger and assembly editor.
When the malware is first executed, it creates a Mutex named “Iismnquexvzadgcnmtdldq” and uses it to ensure that it only runs once on the infected computer.

As we continue our static analysis, we discover that the obfuscated code of the malware uses a function named “Ietherdodlzpdpdaeslrdw” to de-obfuscate it.

The “Ietherdodlzpdpdaeslrdw” function shown in the above image is called to check whether the malware is running inside a virtual machine. If it is running on a physical machine, the de-obfuscation process is performed.

WhiteSnake Stealer uses the “AntiVM()” function to check if it is running in a virtual environment before executing its malicious activities. To perform this check, it uses the “SELECT * FROM Win32_ComputerSystem” WMI query. It then queries the manufacturer and model number obtained from the WMI query and terminates the process without performing any malicious activities if the information matches that of a virtual machine.

It runs a function called “Username()” to get the username. For doing this operation:

It runs a function called “Compname()” to get the hostname of the computer. For doing this, it reads the registry address “HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME”.

The malware runs a function called “IPAddress()” to get the IP address of the infected device.

The malware executes a function called “MakeScreenshot()” to take a screenshot of the infected computer at the moment of infection.

After the “AntiVM()” function is executed and the code is de-obsufuced, the malware calls a function called “Create()” which executes the ProcessCommands() function.

We have identified that this function is used to collect sensitive data, including web browsers, FTP clients, messaging applications, and cryptocurrency wallets. In addition, functions such as “Username(), Compname(), IPAddress(), MakeScreeshot()” mentioned above are also called under this function to collect system information.
WhiteSnake then is converting the collected data into XML format using “XmlSerializer” and sending it to the C2 server.

Dynamic/Behavior/Network Activities/Analysis

During the dynamic analysis of the WhiteSnake Stealer malware’s network traffic, it was observed that the “IPAddress()” function sends an HTTP GET request to the “” address to obtain the victim’s IP address.

When a request is sent to the relevant address, it gives us our IP address in raw form.

On the image below, it was detected that the malware, after collecting sensitive data, communicates with the address “ (” and sends it to a Telegram bot. Since the data sent is encrypted, it cannot be read directly as cleartext on the network.

Mitre ATT&CK TTPs for WhiteSnake Stealer

Credential AccessUnsecured CredentialsT1552
Credential AccessUnsecured Credentials: Credentials In FilesT1552.001
Credential AccessSteal Web Session CookieT1539
DiscoverySystem Network Configuration DiscoveryT1016
DiscoveryQuery RegistryT1012
DiscoverySystem Information DiscoveryT1082
DiscoverySoftware DiscoveryT1518
C&CWeb ServiceT1102

Indicators of Compromise

SHA-256 Hashes:



WhiteSnake Stealer Yara Rule:

rule WhiteSnake
        author = "Cyberthint"
        description = "Detects suspicious string 'WhiteSnake.Properties.Resources.resources' in a file"
        $suspicious_string = "WhiteSnake.Properties.Resources.resources"
        any of them


  • Do not open untrusted emails.
  • Do not visit untrusted websites.
  • Do not use torrent-sourced or cracked applications.
  • Use a reliable antivirus and keep it up to date.
  • Always keep your system up to date. If automatic updates are turned off, turn them on.



Cyberthint is an unified cyber threat intelligence platform. Everything you need is on a single platform! With Cyberthint, you can monitor and identify advanced threats and take early action.

Leave a comment

Your email address will not be published. Required fields are marked *