MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 12 File information Comments

SHA256 hash:	039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154
SHA3-384 hash:	56333701c1ac858dabf498de5b1a3a912168193ad8a2e2b75e386806fad29b76313951bfdd88eee83b24551efec8e72f
SHA1 hash:	b11ff0b977b16863c34dc35126f1d3d13ab5cc4f
MD5 hash:	5ca02369b45067fe039314f38b286767
humanhash:	yellow-fifteen-ohio-pizza
File name:	039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	481'280 bytes
First seen:	2022-04-25 05:21:35 UTC
Last seen:	2022-04-25 05:30:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'494 x Formbook, 12'214 x SnakeKeylogger)
ssdeep	12288:eR3E3HDei3oXA2jCXgXLz/HQOqzjW/NP:eRU3Hq6oXA2jBXHnqzjG
Threatray	2'756 similar samples on MalwareBazaar
TLSH	T17CA4E02D37E88900E2BED9B225B14011C7B9A802195FEE0D57D2F42D3E3D6948E5AFD7
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13101/52/3) 8.6% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	xme
Tags:	exe sansisc SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/266224/

Detection(s):

ditekSHen.MALWARE.Win.Trojan.SnakeKeylogger.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Launching the process to change network settings

Creating a window

Setting a global event handler for the keyboard

Forced shutdown of a browser

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm cmd.exe control.exe evasive hacktool netsh.exe obfuscated packed replace.exe stealer stealer

Link:

https://www.filescan.io/uploads/62663037de94014db6253fab/reports/23fa3522-1fe7-4507-944f-85aabe684030/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/982196

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Contains functionality to capture screen (.Net source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154/

Threat name:

ByteCode-MSIL.Infostealer.Mintluks

Status:

Malicious

First seen:

2022-04-25 05:22:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aoocmebwxah5kadaoj4zgpcdyty4pd63ug2uvhw3zaqx35e6yfka._file

Verdict:

malicious

SnakeKeylogger

2c0096a156e0e652f2a5e45df812b92554b4ecda252d634daa9b13c69ced3c20

SnakeKeylogger

8c6f84113616b1af6dc8e1a8aaa38108aec5c9b2e5862a9c17ca609cdf51e5e5

SnakeKeylogger

8d583ca6c10494ab0e0f8375d65e5f1f999c8ddfeab0bf4b7aa4e19bef9f0873

SnakeKeylogger

be67149051cd685b5aa56bdbee718412157f65ff953ae7261dfa9fedfdd3e08c

SnakeKeylogger

c586cdae80de6a25dc94c91083dc6468b282767f522d49496f01d6e07e3b7ab0

SnakeKeylogger

eecb2904ac3b26aa730dc310741832f18a241754357cbd222b0497e414088a8f

SnakeKeylogger

+ 2'746 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection spyware stealer

Link:

https://tria.ge/reports/220425-f2j7fsbde8/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Drops file in Windows directory

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154

MD5 hash:

5ca02369b45067fe039314f38b286767

SHA1 hash:

b11ff0b977b16863c34dc35126f1d3d13ab5cc4f

Link:

https://www.unpac.me/results/42f2ff41-9431-49d2-ae19-ddd6f239977e/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/039c261036b8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	pdb2 Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/266224/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample