MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0061607aee4d9ba9256a994ba445144beeb9077a57921ee73522d6e3144d09bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	0061607aee4d9ba9256a994ba445144beeb9077a57921ee73522d6e3144d09bc
SHA3-384 hash:	d22cf32e19f612365207fd9866b50bf7a6cd40459b94fedf25615bd0734379bcedff19289946aea15e2e002546768db9
SHA1 hash:	8462c93e2952eff994ccad634dceda01d4e7b207
MD5 hash:	169086be894cd243b603faee33689fb2
humanhash:	vegan-cat-black-solar
File name:	Payment slip & Invoices.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	470'528 bytes
First seen:	2022-01-13 10:32:46 UTC
Last seen:	2022-01-13 14:12:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:EWpc7I2hIJwKLbBvyrRupF3CGqXi5Svj45SYhhCaveyYUF/GEed5WtXpR:EGc7PWaKLZHlCGGdHu3
Threatray	4'074 similar samples on MalwareBazaar
TLSH	T17FA49DAC365070DFC46BCA368AA45C54AA61BC77570BD207A053329CDA6DAD7CF206F3
Reporter	cocaman
Tags:	exe INVOICE SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Payment slip & Invoices.exe

Verdict:

Malicious activity

Analysis date:

2022-01-13 10:36:09 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/5ecf152a-e879-4c4d-b28b-bda9a12e2400

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/218976/

Detection(s):

SecuriteInfo.com.Variant.Bulz.903444.4483.28668.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/61dfffe2e997359713e57919/reports/d3240d0c-def8-498f-ad61-9e9c8f86a94c/overview

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3c1507c3-b8dd-4ee7-8c8c-a66374e08cc2

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/919968

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Disables the Windows registry editor (regedit)

Disables the Windows task manager (taskmgr)

Disables Windows system restore

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/0061607aee4d9ba9256a994ba445144beeb9077a57921ee73522d6e3144d09bc/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2022-01-13 10:33:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=abqwa6xojwn2sjlktff2iriujpxlsb32k6jb5zzvellogfcnbg6a._file

Verdict:

malicious

SnakeKeylogger

29fd00417de03cef0e88cf3c5622255e6a1be13fda99f62fcc043a8c8781f0a9

SnakeKeylogger

4544c0f6f2ad421265500481531a22ce1727be7d5e143e119025dfec688279b8

SnakeKeylogger

45905557fb1b6dc4d3cafb7f3f942f7569f042afcf67a92e7a3fc943327bd686

SnakeKeylogger

c00bd830c55dcbbbd748f89debba097fd9eccc44ef56f8395aad3057199e01c0

SnakeKeylogger

cfa17d1fd033ac512c742be3be5e232441270f1887d370f2db24acf3b5cbcba8

SnakeKeylogger

e9ed6f39b10617c49e9661dd6413cb1398a4325fb4708c0cfa0ed3fc3aac09c6

SnakeKeylogger

+ 4'064 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection evasion keylogger spyware stealer

Link:

https://tria.ge/reports/220113-mlk75shdh3/

Behaviour

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Snake Keylogger

Snake Keylogger Payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendMessage?chat_id=1063661839

Unpacked files

SH256 hash:

f6e7ff8750bb95c0b3066ce15513eea53b990a8b52065caf94c5023b2cf224e3

MD5 hash:

1b51a0d28e91f5dd17e957e19b94bf90

SHA1 hash:

fbf9a7d586b73f1f8251636c28b52c3e088183ee

Link:

https://www.unpac.me/results/ad8e7832-4ef4-46cd-a4c0-f986bde641cd/

SH256 hash:

881837e9c3053920be43593a594ed464fd77b22f7bb3cc0c12a988950ef05ce2

MD5 hash:

4869bd0210e98205d6ee0a678e6d51c8

SHA1 hash:

b57de9f2b23028813a6484173458e0b8e991d644

Link:

https://www.unpac.me/results/ad8e7832-4ef4-46cd-a4c0-f986bde641cd/

SH256 hash:

1102d76935981cede43a9b30cd969917b4497105d110107916f1fe561eae91a7

MD5 hash:

25d823ece88c612e86a8369b0c2aadc4

SHA1 hash:

7db8f463fc7a4e2d4a1850b5e1ff17983679fa89

Link:

https://www.unpac.me/results/ad8e7832-4ef4-46cd-a4c0-f986bde641cd/

SH256 hash:

0061607aee4d9ba9256a994ba445144beeb9077a57921ee73522d6e3144d09bc

MD5 hash:

169086be894cd243b603faee33689fb2

SHA1 hash:

8462c93e2952eff994ccad634dceda01d4e7b207

Link:

https://www.unpac.me/results/ad8e7832-4ef4-46cd-a4c0-f986bde641cd/

Malware family:

Phoenix

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/0061607aee4d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/0061607aee4d9ba9256a994ba445144beeb9077a57921ee73522d6e3144d09bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.