MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SnakeKeylogger


Vendor detections: 12


Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash: 9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0
SHA3-384 hash: f880f3163fd51dc5f37017e1102cbfa9df9622c79137442b2ae6e880d2a558f1111df7aa7cd74d45bc40cad44af1f085
SHA1 hash: b2ea7197933811fc65425d46324af8ee231117f3
MD5 hash: fcce8f5a7e5fcdf78c02d6543c1af2bd
humanhash: ten-vermont-colorado-artist
File name:GUÍA DE CARGA...exe
Download: download sample
Signature SnakeKeylogger
File size:325'929 bytes
First seen:2021-09-27 17:30:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (241 x Formbook, 141 x AgentTesla, 104 x SnakeKeylogger)
ssdeep 6144:F8LxBs9fvNLROF9fYjzpeoG7DDCImlUR7WJDVcQTJ8iL2A03cu:/p1LQUj9eL7SIm87WJHJ8+2b3cu
Threatray 440 similar samples on MalwareBazaar
TLSH T1FC6422073A48E9F7F150267071BADB75F2B6D84C042914875FB4ABAFB46B9C6530E702
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (128 x Formbook, 59 x Loki, 47 x DiamondFox)
Reporter @abuse_ch
Tags:ESP exe geo SnakeKeylogger

Intelligence


File Origin
# of uploads :
1
# of downloads :
181
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
GUÍA DE CARGA...exe
Verdict:
Malicious activity
Analysis date:
2021-09-27 17:34:11 UTC
Tags:
trojan snakekeylogger keylogger evasion

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a process from a recently created file
Launching a service
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
Snake Keylogger
Verdict:
Malicious
Result
Threat name:
Snake Keylogger
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Nsisx
Status:
Malicious
First seen:
2021-09-27 17:31:07 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Result
Malware family:
snakekeylogger
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0
MD5 hash:
fcce8f5a7e5fcdf78c02d6543c1af2bd
SHA1 hash:
b2ea7197933811fc65425d46324af8ee231117f3
Malware family:
Phoenix
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Author:lsepaolo

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 9ff6781bac4d77465a973def710d9619cfa7fc6fe16a78225b7e22d3a89d0be0

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments