MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments

SHA256 hash: 039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154
SHA3-384 hash: 56333701c1ac858dabf498de5b1a3a912168193ad8a2e2b75e386806fad29b76313951bfdd88eee83b24551efec8e72f
SHA1 hash: b11ff0b977b16863c34dc35126f1d3d13ab5cc4f
MD5 hash: 5ca02369b45067fe039314f38b286767
humanhash: yellow-fifteen-ohio-pizza
File name:039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154.exe
Download: download sample
Signature SnakeKeylogger
File size:481'280 bytes
First seen:2022-04-25 05:21:35 UTC
Last seen:2022-04-25 05:30:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (29'903 x AgentTesla, 9'527 x Formbook, 4'668 x SnakeKeylogger)
ssdeep 12288:eR3E3HDei3oXA2jCXgXLz/HQOqzjW/NP:eRU3Hq6oXA2jBXHnqzjG
Threatray 2'756 similar samples on MalwareBazaar
TLSH T17CA4E02D37E88900E2BED9B225B14011C7B9A802195FEE0D57D2F42D3E3D6948E5AFD7
Reporter @xme
Tags:exe sansisc SnakeKeylogger

Intelligence


File Origin
# of uploads :
2
# of downloads :
238
Origin country :
BE BE
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
–°reating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Launching the process to change network settings
Creating a window
Setting a global event handler for the keyboard
Forced shutdown of a browser
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd.exe control.exe evasive hacktool netsh.exe obfuscated packed replace.exe stealer stealer
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Snake Keylogger
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Contains functionality to capture screen (.Net source)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Infostealer.Mintluks
Status:
Malicious
First seen:
2022-04-25 05:22:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Result
Malware family:
snakekeylogger
Score:
  10/10
Tags:
family:snakekeylogger collection spyware stealer
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Drops file in Windows directory
Accesses Microsoft Outlook profiles
Drops desktop.ini file(s)
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
039c261036b80fd500607279933c43c4f1c78fdba1b54a9edbc8217df49ec154
MD5 hash:
5ca02369b45067fe039314f38b286767
SHA1 hash:
b11ff0b977b16863c34dc35126f1d3d13ab5cc4f
Malware family:
SnakeKeylogger
Verdict:
Malicious

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments