WhiteSnake Stealer: Unveiling the Latest Version – Less Obfuscated, More Dangerous



SonicWall Capture Labs threat research team has observed a new variant of WhiteSnake Stealer. This stealer poses significant risks to users and organizations as it can steal critical sensitive data from compromised systems, including valuable information like web browser data, cryptocurrency wallets and much more. This new version has removed the string decryption code and made the code easy to understand.

Technical Analysis

After executing the file, the stealer verifies whether the mutex is already present to prevent two instances of the stealer from running simultaneously. The mutex value is specified in the stealer’s configuration. If the mutex is detected, the stealer terminates.

Figure 1: Performing mutex check


In this stealer, the AntiVM function is by default disabled (flag is set to 0). If the flag is set to 1 then it checks for the presence of sandboxes by utilizing the WMI (Windows Management Instrumentation) query “SELECT * FROM Win32_ComputerSystem” as we see below. By using this query, the stealer gets “Model” and “Manufacturer” properties and checks any property containing the below mentioned strings.

  • virtual
  • vmbox
  • vmware
  • thinapp
  • VMXh
  • innotek gmbh
  • tpvcgateway
  • tpautoconnsvc
  • vbox
  • kvm
  • red hat
  • qemu

If any of the string is present, then the stealer will exit.

Figure 2: Performing AntiVM check

Following an Anti-VM check, the malware invokes the Create() function, subsequently executing the ProcessCommands() function. This function is tailored to extract sensitive information from various sources, such as web browsers, messaging apps, FTP clients and cryptocurrency wallets, among others. ProcessCommands() function is responsible for stealing information from web browsers (which are listed below) such as “Cookies”, “Autofills”, “Login Data”, “History”, “Network\Cookies” and “Web Data”.

  • Mozilla Firefox
  • Thunderbird
  • Google Chrome
  • YandexBrowser
  • Vivaldi
  • CocCoc Browser
  • CentBrowser
  • Brave Browser
  • Chromium
  • Microsoft Edge
  • Opera
  • OperaGX

Apart from stealing web browser data, WhiteSnake stealer has the capability to grab cryptocurrency wallets and crypto wallet browser extensions. The table below shows the targeted cryptocurrency wallets and browser extensions.

Cryptocurrency Wallets

Cryptocurrency Wallet Name Targeted Directory
Ledger %AppData%\ledger live
Atomic %AppData%\atomic\Local Storage\leveldb
Wasabi %AppData%\WalletWasabi\Client\Wallets
Binance %AppData%\Binance
Guarda %AppData%\Guarda\Local Storage\leveldb
Coinomi %LocalAppData%\Coinomi\Coinomi\wallets
Bitcoin %AppData%\Bitcoin\wallets
Electrum %AppData%\Electrum\wallets
Electrum-LTC %AppData%\Electrum-LTC\wallets
Zcash %AppData%\Zcash
Exodus %AppData%\Exodus
JaxxLiberty %AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
JaxxClassic %AppData%\Jaxx\Local Storage\leveldb
Monero %UserProfile%\Documents\Monero\wallets

Table 1: Targeted Cryptocurrency Wallets

Crypto Wallet Browser Extensions

Extension Name Browser Extension ID
Metamask nkbihfbeogaeaoehlefnkodbefgpgknn
Ronin fnjhmkhhmkbjkkabndcnnogagogbneec
BinanceChain fhbohimaelbohpjbbldcngcnapndodjp
TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec
Phantom bfnaelmomeimhlpmgjnjophhpkkoljpa

Table 2: Targeted Crypto Wallet Extensions


Again, in this version of WhiteSnake stealer persistence mode is disabled by default. If it is enabled, then the stealer creates persistence by copying itself in the %Appdata% directory before deleting the original file and creating a scheduled task to run the stealer every minute, as shown in the command below.

  • /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn “WhiteSnake_Stealer” /sc MINUTE /tr “C:\Users\Administrator\AppData\Local\RobloxSecurity\WhiteSnake_Stealer.exe” /rl LIMITED /f && DEL /F /S /Q /A “C:\Users\Administrator\Desktop\WhiteSnake_Stealer.exe” &&START “” “C:\Users\Administrator\AppData\Local\RobloxSecurity\WhiteSnake_Stealer.exe”

Here, the “RobloxSecurity” folder name is already present in the stealer configuration file.

Figure 3: Stealer code for persistence and deleting itself

Capturing Screenshots

WhiteSnake stealer also has the capability to capture screenshots on the victim’s machine. Some part of the code responsible for this capability is shown in the figure below.

Figure 4: Capturing a screenshot from the victim’s machine


In this version of WhiteSnake stealer, Keylogging functionality is disabled by default. If it becomes enabled or the attacker sends the command “KEYLOGGER”, then it captures the keystrokes of the victim’s machine. To do this task, the stealer needs Windows APIs, which it loads at run time. The APIs are listed here:

  • UnhookWindowsHookEx
  • CallNextHookEx
  • GetKeyState
  • GetKeyboardState
  • GetKeyboardLayout
  • ToUnicodeEx
  • MapVirtualKeyA

Figure 5: Part of the code responsible for keylogging


If an attacker sends the command MICROPHONE, then the WhiteSnake stealer first executes the “SELECT * FROM Win32_SoundDevice” WMI query to check whether the microphone is connected to the victim’s machine. If the microphone count is more than ‘0’, then microphone recording is started for a specified amount of time, as shown in the figure below.

Figure 6: Code responsible for microphone recording


After stealing the microphone recording, WhiteSnake stealer is also capable of grabbing webcam images. This stealer uses the “SELECT * FROM Win32_PnPEntity WHERE (PNPClass = ‘Image’ OR PNPClass = ‘Camera’)” WMI query. By using above mentioned WMI query, it first gets the count of webcams connected to the victim’s machine. If the count is equal to ‘1’, it tries to capture an image from the webcam and provides the image data as a byte array in PNG format.

Figure 7: Stealing webcam image

Targeting Apps

Again, this stealer can grab information from applications that are installed on the victim’s machine. As shown in the figure below, it is targeting email client applications like Outlook and Foxmail.

Figure 8: Targeting email client applications

Remote Access

Another distinctive characteristic of WhiteSnake stealer is its remote terminal, enabling an attacker to initiate a remote session with the infected machine and execute specific commands, including:

  • UNINSTALL: Ceases operation and removes itself from the system.
  • PING: Executes a ‘ping’-like operation and replies with a ‘pong’.
  • REFRESH: Refresh the log credentials.
  • SCREENSHOT: Takes a screenshot of the victim’s screen.
  • DPAPI: Decrypts encrypted sensitive data stored on the victim’s system.
  • WEBCAM: Capture a photo using the webcam.
  • MICROPHONE: Record sound from victim’s microphone.
  • COMPRESS: Compresses directory into ZIP.
  • DECOMPRESS: Unzips the ZIP contents to the current directory.
  • TRANSFER: Uploads the file to an IP address from the configuration.
  • GET_FILE: Fetches the content of a designated file.
  • LIST_FILES: Lists files in the current directory.
  • LIST_PROCESSES: Get running processes list.
  • PROXY_SETUP: Downloads and expose chosen port.
  • KEYLOGGER: Capture keystrokes.
  • LOADEXEC: Retrieves a file from a distant location and runs it.


  • Retrieve Credentials:

The command “chcp 65001 && netsh wlan show profiles|findstr /R /C:\”[ ]:[ ]\”” executed in a Windows command prompt sets the code page to UTF-8 and retrieves Wi-Fi profiles stored on the system and only steals profiles that likely have passwords associated with them. If any such profile is found, then, by using the command “chcp 65001 & netsh wlan show profiles name={0} key=clear | findstr \”Key\””, ssid);” it retrieves the stored profile names and associated passwords. It then decodes this information by Base64 and puts it into the “Apps\\WifiCredentials.txt” file.

  • Retrieve Nearby Networks:

The stealer does not stop after stealing Wi-Fi passwords. Next, it runs the command “chcp 65001 && netsh wlan show networks mode=bssid | findstr \”SSID BSSID Signal\”” to fetch information about available Wi-Fi networks on the compromised user machine focusing specifically on their names (SSID), unique identifiers (BSSID), and signal strength. It stores this information in the “Apps\\WifiNearby.txt” file as shown in the figure below.

Figure 9: Retrieving Wi-Fi credentials

System Information

WhiteSnake stealer gathers the victim’s system information like username, machine name, operating system, tag, IP address, screen resolution, CPU name, graphics info, RAM size, disk size, model, manufacturer and more. Below is a list of WMI queries which stealer uses to fetch the above-mentioned system information.

  • “SELECT * FROM Win32_Processor”, “Name”, “Unknown”
  • “SELECT * FROM Win32_VideoController”, “Name”, “Unknown”
  • “SELECT * FROM Win32_ComputerSystem”, “TotalPhysicalMemory”, “-1”
  • “SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3”
  • “SELECT * FROM Win32_ComputerSystem”, “Model”, “Unknown”
  • “SELECT * FROM Win32_ComputerSystem”, “Manufacturer”, “Unknown”

After collecting almost all system information, it collects all loaded DLL modules, all currently running processes and a list of all installed application names by querying the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall as shown in the figure below.

Figure 10: Code responsible for stealing processes and loaded DLLs from the victim’s system

Figure 11: Victim’s stolen data converted into XML format

When this process of stealing system information from the victim’s machine is complete, the stealer uses XmlSerializer class to serialize stolen information into XML format. After serialization, it compresses the same information and encrypts it using an RC4 encryption algorithm with a randomly generated key. The key is generated using the RNGCryptoServiceProvider() method.

Figure 12: Performing RC4 and RSA encryption

It is noteworthy that when the attacker has the RC4 + RSA encryption option enabled (by default), then the RC4 key is encrypted with RSA encryption, and the RSA public key is stored in the configuration.

Figure 13: RSA Public Key

Data Exfiltration

WhiteSnake stealer tries to send the victim’s stolen information to the attacker’s C&C, which is already present in the stealer’s binary. First, it appends Base64 encoded stolen information like username, country and more to C&C and makes a complete URL. Here is an example:


Figure 14: Trying to exfiltrate stolen information

Since this URL is down while writing this blog post, function SendC2() returns false. After this, the stealer creates a WSR file. This filename begins with five random characters followed by _username`, @computername and _report. The WSR is the file containing the exfiltrated data.

Here is an example of a WSR file name generated this way:


After this, the stealer again tries to upload the WSR log file to one of the servers listed in the configuration file. If a server is unavailable and the web request fails, the stealer attempts the next IP address on the list as shown below.

Figure 15: Trying to exfiltrate the WSR log file

Figure 16: Data exfiltration using PUT request

After successfully exfiltrating stolen information from the victim’s system to one of the attacker’s IP addresses,  the stealer attaches tags like OS version, country, username, computer name, the exfiltration file size and the IP where the data is being sent to and sends the data to this Telegram bot URL:


Figure 17: Sending stolen information to Telegram Bot

SonicWall’s RTDMI engine detected this threat.

Indicators of Compromise (IOCs)

SHA256: 94048358360fd46766cdf1d4f487c1c61a391f97ebc10704c388170ae4e66b88

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.