MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 16


Intelligence 16 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
SHA3-384 hash: b9f7533dc317b9b573315ccdfd71525de9e68aec22c5e91eca5f2135b92785b24e1e2afd4547390e51205da998707be3
SHA1 hash: f4dcac343341c00de26efab7a322f340eb60a6bc
MD5 hash: be0ed4e084dcd75c846181fe83465e89
humanhash: ceiling-carbon-sink-blossom
File name:5f8911mgZd9FLa2.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:718'856 bytes
First seen:2025-04-10 10:21:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:UVK/e5E/p/wXI19y205T8YLSbsOZsrVI8cA9LcHBRjdYikrXP+4El/2w7OfKgzte:k5al05/LT1IXA9LchP+rmpJj7y/SF
Threatray 3'203 similar samples on MalwareBazaar
TLSH T14EE41217293AD803C5921B701EA3D2F666789FDCBA18C703AEED7CDF79B62452240359
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 60e09696f01717e0 (5 x Formbook, 5 x MassLogger, 2 x Neshta)
Reporter cocaman
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
466
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
829284eb349b472d5a2265b033f159c1cd692704a2c0d77239d9378c0ecc7330
Verdict:
Malicious activity
Analysis date:
2025-04-10 02:40:26 UTC
Tags:
arch-exec evasion snake keylogger netreactor telegram stealer
Link:
https://app.any.run/tasks/b50e6e23-cae4-4f2d-995b-75d56fefe349

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1569/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f72f99f9ba909217ce77c4
Tags:
kryptik micro spam msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
expired-cert invalid-signature obfuscated packed packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/67f79bd29a45590291156ad6/reports/ba812f18-85d7-46f0-9516-3bc21a74e31d/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3525eebf-6412-48d4-93c0-d75f9cbf8680
Result
Threat name:
Snake Keylogger, VIP Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1661746
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1661746 Sample: 5f8911mgZd9FLa2.exe Startdate: 10/04/2025 Architecture: WINDOWS Score: 100 50 reallyfreegeoip.org 2->50 52 api.telegram.org 2->52 54 2 other IPs or domains 2->54 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 66 10 other signatures 2->66 8 5f8911mgZd9FLa2.exe 7 2->8         started        12 rZJAjAq.exe 5 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 50->62 64 Uses the Telegram API (likely for C&C communication) 52->64 process4 file5 38 C:\Users\user\AppData\Roaming\rZJAjAq.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpABF0.tmp, XML 8->40 dropped 42 C:\Users\user\...\5f8911mgZd9FLa2.exe.log, ASCII 8->42 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 8->68 70 Writes to foreign memory regions 8->70 72 Allocates memory in foreign processes 8->72 76 2 other signatures 8->76 14 powershell.exe 23 8->14         started        17 vbc.exe 15 2 8->17         started        20 powershell.exe 21 8->20         started        22 schtasks.exe 1 8->22         started        74 Multi AV Scanner detection for dropped file 12->74 24 vbc.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 78 Loading BitLocker PowerShell Module 14->78 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        44 api.telegram.org 149.154.167.220, 443, 49738, 49750 TELEGRAMRU United Kingdom 17->44 46 checkip.dyndns.com 193.122.130.0, 49720, 49723, 49725 ORACLE-BMC-31898US United States 17->46 48 reallyfreegeoip.org 104.21.96.1, 443, 49721, 49722 CLOUDFLARENETUS United States 17->48 32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 36 conhost.exe 26->36         started        signatures9 process10
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-04-10 02:40:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsub73vewrotyacmn6mmjuesej65lqfdebcpdgkwcf7z5zg3y5eq._file
Verdict:
malicious
Label(s):
captiveaaloader
Create hunting rule
unc_loader_037
Create hunting rule
vipkeylogger
Create hunting rule
Similar samples:
ab68d4e831745aa5364ad14203a0a9669a5362913b09263eb4e06681f62007c5
SnakeKeylogger
d360ba3b74cc01e2352a4070922b2dca3d46c7bfe5e4cde8ac474274f8522455
SnakeKeylogger
d3b0e954250d481d37ce371255c6eb7deb4bb53c1784f2a7111487bb42f4ee5e
SnakeKeylogger
dc14e11fa87b2110c957be1632f6ce7c9f4d02a53401337d4a9d60d42ecb4b4a
SnakeKeylogger
+ 3'193 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250410-md97asymx8/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7774d894-0c54-4141-9ffd-1c724c4e0c20
Unpacked files
SH256 hash:
0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
MD5 hash:
be0ed4e084dcd75c846181fe83465e89
SHA1 hash:
f4dcac343341c00de26efab7a322f340eb60a6bc
Link:
https://www.unpac.me/results/2d0a4ce6-de53-44d7-b3e6-cdd945d0fb30/
SH256 hash:
12a2f126b6a88fedde71ebc6054072165de6a09ba5c0de06566ed2a62a98b0a2
MD5 hash:
28865899e7e5ae991fadaa1c0e1d5884
SHA1 hash:
54660ef797b69faee513ef6cf5c462f7a743e89e
Detections:
win_404keylogger_g1
Create hunting rule
MAL_Envrial_Jan18_1
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Link:
https://www.unpac.me/results/2d0a4ce6-de53-44d7-b3e6-cdd945d0fb30/
Parent samples :
867af082ab5f5e7468aab5bca97063c60877f44c2d39c0ad02f1a1e721c92260
ab68d4e831745aa5364ad14203a0a9669a5362913b09263eb4e06681f62007c5
1792b62467af9326272e0190ddd1e22c6217f23637ab47b9fbe0098ca3800c6d
8e4108d867c054d193cca6c2f9fcfa7288d7a1b9e6ac9e41ae60cfd15b1e0572
a29feb5a19c2eb1dd0a09402eabca6d9a721c4f46e5f1ec013e36ee3069e0f3d
0d53038edfae7a4ff9c96ade284680a5a46c5958942262357c89f0740ad02458
9899807e67d1974a32123f6967f1c46c05f8c0769f5c1ba5127f966a697a2c77
69f684f1e3a4c73362a0e9d775ec1717be3e730bee70a096b578775c0df39ddf
755f9071cf58c7d3729758cc3143fcd738b813977ca81ef2067a27e113881a9d
3ab9c6d950c228d286795fd61b70a4bd7c1c3de889ccac47dc68d5f23a24408e
3543cb3f9359037b6f177ab44ef175f17017381b33759d9709b46268f248012a
a6d1bf193f5a5f2f6f9e766dffb51b66122e96dc8d2b76c3674fe2968d32c811
0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
2bc972f3ec09f8d1bdc1b25a3fe57db9a08577117d3a0d0ce5e5282e976d9111
64298970a96368b940e957cef55f70a07d63151df38c3b73818e83c4a4caebf6
SH256 hash:
d1565b7e500f1d93873d3a5d622385a03278f79dbb35281ab4aea1896e2ac030
MD5 hash:
af69bcbcf5c38f9e1b050b199a8a0d3b
SHA1 hash:
7d5b9e7c687e091651b5aac0c0196e1ce82516c5
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2d0a4ce6-de53-44d7-b3e6-cdd945d0fb30/
Parent samples :
2a70db0a80475b95076e3ac773bf31a512eac29e3bc6f2742146815dd209f5e9
804ca58e99fe47f33eb0ee7db9b0e4794dbe30c165f219bd85884f0f84ac7846
8a83249f26da9d22a6f3c1de677e98b4872368f013d21e87391417bf31da0b98
af33ab150d8a4076d522d235ff3b77508ec19e52b6ac17bdb6eccd842f6babc4
a6d1bf193f5a5f2f6f9e766dffb51b66122e96dc8d2b76c3674fe2968d32c811
41d7369f717e33a88918da397a21fdc2a1db9c76629b7d5c6be1786f8cee9d5a
a05882d8e179d3a1a3ac69ce4b81bc72ee80f026d921e2598a5eddefd803511b
1b9ddbe7a21e44c82dc78c8e8361baca31adea4d8a8e673536b249b46305860c
2c815316f091040c2f89bcbaae0464cd89a9bfd5225f917ac01fabb9136a3fd4
fc523562bc368e6ab9c0106a1f3d6e23c4104f120c65c65b9c9adb2ee57c63ca
fd4c4d051a2d6a69a40e1e8f2f4a1cbcd54a4f27fd7ab4843452c98611aad9c7
c7d5e01e287cfc5c4c967c1ec895659bf25a80fbe8266a87f083bc80ddc82cce
46b9ea7cdf572a0e0128450f141ab2c31922dbbea4b632401fe42d85ba21cbcd
88d63b81ce4d25ca852251449940416ac2a8c61f5cf4a452ab690d26dc372876
72be9fedc41813b76d9a0707925542a7919f9192ca9cdc8ef82b952dce22da4f
4ac15244ddd64dbbf277c8d20628a9593dc0df8feafd932a7746d1b99c2ba826
17445fc3b78c7a08d5c4bc4164d04f99a4906ca50fc7552c1420c9efbebfe215
ef31c771e1f44656fdc9e84c3745d8bef369879697c144110edac6b814878ee3
071ecee4bd6564ec46147d2cf3f94c230f6da364a7eca4305e2f69f56e8ac4e4
30d5fcd7da81bc0b8d77d5b3547a227bac06bc781990f528c0bd78d696235779
90c33f008fb667cf96ff92b14f8834e702e3f4444d195328c9be186e801e6823
4dce97ef955a132177e7043fc0d11e35c3e1d03f833b3b30951d7b2ce6db735e
094c46819bcd5e6fb0d7cc1415452e1ad1654da29a54685ecb8f92c751bb0822
d3b0e954250d481d37ce371255c6eb7deb4bb53c1784f2a7111487bb42f4ee5e
1ebc38bc1bd49c8564e94d2242c4deed0bd0d69c0086ab7cc2dc180c77a989ce
b4391a76a1e786d93c45cb78576609d9f75ce63d9253edac9c66ef921b5a7de6
909759c61b9cc4ea2307f313c5d944e3cc6c5210aabb7d53477262b725aa086e
15a7845256801920c72d8eb0b8be091fc8e6bc2461bf1cc53db2cf2b3c76b315
53fbed42c919ae2818899979a637b0d9d9b7df437ee239c2bc60945053b9ed07
82ebf6faf3f97b1fdc2508ef2fb4c22c5e39bd2572c95d358574d2bfe280aa3a
dbb10cc6fb3fc9fca393ff312d53af0d938aae2099e23dd69d1fb9ce6828f3b8
f8984264632a0aba48bcd90967988aa1d2c10f9381d00abc08456431ea46d208
e594f00895dd29d763379ee4aa87c6004e811385f71077959674c4ef636f5a2e
761766237d7a8d58a5cdf2aa5ccace247b724d033d3196bc441c6a9c31717561
b1e2b8b0806852aa586a0491fc91a832babfff3882eaed12a6b7d2e7b776d4c4
b259302d7ea5bfb1f2ad8f50e8de4df48d96021070ee77c5b7819583ec43f372
6bb21551577d98edc3a3c4db8d941258f86c89db185fa2095f54ad4944a62b87
0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749
0103b1c78fd2b588d3df5c688369fce8621e8c22d3207faaa1e8404c0ac860c9
f2392e04e5ffb9bcee95ce763a7686322a9abd7210af28ef3f653402515a6013
8357f957b093fda087166e77b0e6a59d8d0d2fde1002d0be9ce5f99db26d63bb
be4448d373ea201e390e0bb158bba4f3ceb111ff37cd586c770a3d0e887d5bf1
c36369fab2df20ecfe48904d1e740c361fbf72f7f06221cefcbb1586d696506a
f91c4c7fd22d1d1ad83e7b8984b7b317689c6c75b3dc5ad29292a72161ab2164
d00a21bc17cc36be9b55a6c36f6c51e3f8f5300bfcd80246cfaadc4d3b638a99
db54fbe35d83bb19deaf215649ce9c33974913b4a03fb0060f6afec3a33d1d42
2fa30c4928317befeb052607fb0181fbd4be52f5b2c37cbe4bdb42e743355449
b155dd58a04167ae2b542b3e84c60e2761bd66e7a96f66476d5568b84b801936
c7bdef6f72689a3279cfbd4a47882019055e0138cdb2ab229cdb96f9ed541196
1630e8b9995d554a7b791dfa929f77c659c48e0358008fb7eb66fe54d63d86b3
2bc972f3ec09f8d1bdc1b25a3fe57db9a08577117d3a0d0ce5e5282e976d9111
5506f23308b0b3dff288866ab0b560f2fe5d61f53f4730428ab145f5ee033f84
8734c94b5ebc9260065d6ac359500b8f17f290be6c74bb72b9c0cacccf9b7d63
dbbf0fd1d25e6411faddab4b2f689dcffd04ce06642e1319f9d6fb00a2c343ca
b8c36a5b681b071cc8c8a34fa1d1656b705dbe1f433706b386b78fd73ef6e884
bd786fd63a731d3b49654aa94045c0b9c11c5c7112636befa6ecee7ff91d4c51
99af728a80e56652b6622bc371fd9a6cc4702e2c5598918c42eee05681850d2b
a9d818bc38d2a84ff40e54a062a9fba01a0648300fb1a892432547bc5b85e158
9c50c6516f166d7975bfb56b0a41cffb52844eb63c1c9ef2fd3502305d075a96
ddbf042dcfbeef6cf190530ca077b62d1366ef54356d0ed63814e8b9b07ca8de
31699232fd5243c9ed94a774b8b36fe40211590ba9460d8eca4251c24618beb9
5d8ae2e91d0e7c2dfb51972bc8f825ed37a76ab49d70809a446bcf3dd9dc9759
c0834472538b4521860ce0d38b7fb302e06da7fb0f328d2ce1614b176b44f5f9
c90b2d72296b49c72b221773c6fcc65648e0f0aa7ffc62611681c9cd07e6bf32
84d88aa331513f6d7e41095e2187e4571dd08b9aedd52202dbb39fa1e9fd5565
ee38d1b102d49efb131e686f67a3499b35eb4e412ed8c9bd6a5fe8a22320b3d6
e1c7a0142096027135342d53d50e982ca0db4683cb578fa7528f7da6394397d6
59c68aa4d3b5e77347aa69a31f2592220359ff8f45c18bf9ef5ad047e072534d
3eab5d3870693e704bdf913c10eb1b7a2a9dfbc3e85c58d2e3685ccbb5a1114a
6714c82529a444b8ce3f8bfae085604f2618954394d7812e68f473ebfca78a26
a6595037149574b9ef6ac2be554fda95aef17dac424a214f8582031112a43f56
dd762de25b94a493d115906421412af660db77916a2a09baa40be5a9fcbf63d1
d5bd67edddb02aaf59ac0743bc2ad8fe235ee8b4cda045e2475193cb8ccca8ff
SH256 hash:
784858a81d449987662a574092b738f992d6cc7c5da7e99950da1d56cdc61183
MD5 hash:
f651d15f851c3faa1981b8fb86a91066
SHA1 hash:
b88a1be84247498bd0cc7aaca0b99eaea5249e08
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2d0a4ce6-de53-44d7-b3e6-cdd945d0fb30/
Malware family:
VIPKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ca81feea4b4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:crime_snake_keylogger
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects Snake keylogger payload
Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip 829284eb349b472d5a2265b033f159c1cd692704a2c0d77239d9378c0ecc7330

SnakeKeylogger

Executable exe 0ca81feea4b45d3c004c6f98c4d092227dd5c0a32044f19956117f9ee4dbc749

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 829284eb349b472d5a2265b033f159c1cd692704a2c0d77239d9378c0ecc7330
Cape
Cape
https://www.capesandbox.com/analysis/1569/
  
Dropped by
MD5 1489b1dcfb8ca9a57462d915f3eab019

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments