MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ca4084b3032011f18ada96a4d6365a17c26ba745e8d4df2d4b246529e186eb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ca4084b3032011f18ada96a4d6365a17c26ba745e8d4df2d4b246529e186eb4
SHA3-384 hash: 62cdfc1e8193587aaa2d77cebbb1b6157f7df8e2f5dff156e50c90fa2438208d840e55c4531582786550a01dfd319e87
SHA1 hash: 0efdf6000c6f904e8e3d069f3aa60735ac22ee3d
MD5 hash: da901f307bf2854797760f426fe7d29a
humanhash: winter-nineteen-wisconsin-cup
File name:SecuriteInfo.com.Win32.DropperX-gen.4947.3209
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:7'680 bytes
First seen:2022-12-01 16:32:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 96:ki6hB8+hZ+F6jfcOXn1NGnH7pIdv7Z9X0nBNqrkPQL/3GnUODL:im6jfcOCnbuxXXe7qAE/v0
Threatray 10'382 similar samples on MalwareBazaar
TLSH T123F1D614E79D8233E81A8F35A9F3529007B89B53AAC7EF7FDF84050F6C4224442A26F4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.DropperX-gen.4947.3209
Verdict:
Malicious activity
Analysis date:
2022-12-01 16:36:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9ec71f47-919f-4d3c-b7d6-f946c23a3e22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341224/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.4947.3209.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Searching for the window
Launching a process
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6388d73eba2a5a5de180184f/reports/4272f5af-3642-4e35-a514-bcdd2b2d4ba8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f9f0f5ed-0729-4868-9150-8b4e08e3d437
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1125571
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 758293 Sample: SecuriteInfo.com.Win32.Drop... Startdate: 01/12/2022 Architecture: WINDOWS Score: 68 21 Snort IDS alert for network traffic 2->21 23 Multi AV Scanner detection for domain / URL 2->23 25 .NET source code contains potential unpacker 2->25 27 Machine Learning detection for sample 2->27 7 SecuriteInfo.com.Win32.DropperX-gen.4947.3209.exe 15 3 2->7         started        process3 dnsIp4 19 185.246.220.210, 49699, 80 LVLT-10753US Germany 7->19 29 Encrypted powershell cmdline option found 7->29 11 powershell.exe 16 7->11         started        13 powershell.exe 10 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started        17 conhost.exe 13->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ca4084b3032011f18ada96a4d6365a17c26ba745e8d4df2d4b246529e186eb4/
Threat name:
ByteCode-MSIL.Trojan.Snakekeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 16:33:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bssaqszqgiar6gfnvfve2y3fuf6cnotul2gu34wuwjdffhqyn22a._file
Verdict:
malicious
Similar samples:
037222fe01d316ca4fb55cb263065fa2327e29d3d1d74d0ca75e1d162cc48b67
SnakeKeylogger
22d33f1ffa8eb0c8b180c01fa01c71f5c2662bd4283eea6921c4c47772edd5b3
SnakeKeylogger
5f01277eb7aa0580f6c084ed456dc42c06a2d0a1be268fb2ec650c82c752afde
SnakeKeylogger
8572c3b461f643bf5baaeb032cf81f83af78dcc60e34d98c669d12f748bb38f3
SnakeKeylogger
931c62a6d7d843e91272d042eabd77c1f23984d36232c6dfef06320c13940bb9
SnakeKeylogger
93e14875bc031dbac8ba67009e2fe2f7c3e52e7f2bfafdd01ef929bcbd593851
SnakeKeylogger
b7dbc97b8a087264217178dbff138d86940c1da6ae255a47cf98f0fa86d767e0
SnakeKeylogger
f45ed09f500667f7fbae32453fa1464a6003dc9ef3be284e156a43bacd3c2147
SnakeKeylogger
+ 10'372 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/221201-t2h62sbd61/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/feed200c-da73-4ddc-8288-59ff4e252492
Unpacked files
SH256 hash:
0ca4084b3032011f18ada96a4d6365a17c26ba745e8d4df2d4b246529e186eb4
MD5 hash:
da901f307bf2854797760f426fe7d29a
SHA1 hash:
0efdf6000c6f904e8e3d069f3aa60735ac22ee3d
Link:
https://www.unpac.me/results/5fc2255b-b379-4c16-bb25-83c1a6ffa6b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ca4084b3032011f18ada96a4d6365a17c26ba745e8d4df2d4b246529e186eb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/341224/

Comments