MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cc2e5b30e63a14392a667b12c238c794eba4d2e6bc8f581319baf1e0efe537b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cc2e5b30e63a14392a667b12c238c794eba4d2e6bc8f581319baf1e0efe537b
SHA3-384 hash: 567dc6cd248550be398b7d76a60d4ea6df85b99cbf96d17c382d3dccf38d5f5373421c65bdb4a0a732850c649d7c7440
SHA1 hash: 3504eb5b5aaf4883aa943f22801edd99523b8f99
MD5 hash: 14089bb840cae4cdd835d2216b2b7c66
humanhash: blossom-blue-equal-seventeen
File name:order sample specification.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'089'536 bytes
First seen:2022-09-15 11:47:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:EozHPsRlIHHnL1z/t41kOdwQl/7BfGJhw3whvnT9RDgur/usl7XCwOS+2m4:lH0iHHn90PdwifhAZ9FguXXd+z4
Threatray 105 similar samples on MalwareBazaar
TLSH T17D35E01817A5C906C97AA670ECE1E2705FA86EC1825FC35F08DC7EB7F6763589C813A1
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0f47090c0c0a470f (23 x AgentTesla, 5 x Formbook, 1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order sample specification.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 08:01:14 UTC
Tags:
evasion trojan snake keylogger
Link:
https://app.any.run/tasks/036cd1b2-98c3-4f96-81c1-449a7aec92a0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310226/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63231138b564f001cc89d72e/reports/0ea1cf42-f4e4-493e-a1f6-09b4d884b84a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17208a3d-76be-47b1-90bf-7c2320863b09
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1070868
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0cc2e5b30e63a14392a667b12c238c794eba4d2e6bc8f581319baf1e0efe537b/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-09-15 11:48:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=btbolmyomoquhevgm6ysyi4mpfhlutjonpeplajrtoxr4dx6kn5q._file
Verdict:
malicious
Similar samples:
09ec1d3db03b2425ca774fb9dfb02384d149a804ed3ef690f1cf3129ef7677ab
SnakeKeylogger
449238734fa329e17dfa46fc52b056f4871acbb4594c55a5eff63a7bccfc34f3
SnakeKeylogger
4e4937d04ce933221fad993e7db49a096f11cefbe11c593da9041d5e375d6119
SnakeKeylogger
654a2eb34978a26d0460717b1455bcc81d0009ef8f0bb2f40b0492ae1cb8a969
SnakeKeylogger
6c56003ac5a82c9f424658ea9e4fe43dd887f3e8122c95f80a2b983e55e9194e
SnakeKeylogger
7cd6d1e1739445937ebfb73d8ad73d6cb1b87f65811435e15212cf4c4db061ee
SnakeKeylogger
ee8ca295b5207447c2f6d92d2a964399b5d4f58d2787e2a7e0bdeb3282f55472
SnakeKeylogger
f23701b52c994665bb4f95c48306728400a78fa164a8adf2d66eaf5ffccce185
SnakeKeylogger
+ 95 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger spyware stealer
Link:
https://tria.ge/reports/220915-nyfc4achg3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/898328cc-19af-4834-879e-c2969cb9fdf0
Unpacked files
SH256 hash:
7ac216a2c1587163bf8c86e599c0b85b48fc1a9741beb1b06e19b394dc6e9553
MD5 hash:
c95249a443ec41419b0debdff4a77823
SHA1 hash:
d0baff98cd8854c021d5716cd89546be28bb775b
Link:
https://www.unpac.me/results/dd679eb1-365f-4468-b610-01f2e4a08166/
SH256 hash:
8211e892b660ae3f22f802dd5ac9f4c5aa3a04cdff7be9f412d21a4ce93edc3b
MD5 hash:
fc33b3310ca744d5c06a66f7ea64bcba
SHA1 hash:
aff72bf73d980d21c850800d84d91b896624fb3e
Link:
https://www.unpac.me/results/dd679eb1-365f-4468-b610-01f2e4a08166/
SH256 hash:
105350da791b5a2fd656822b8c061923a684081040d9c2fee6aa363d384b1ce3
MD5 hash:
b19bd16465a2a8dbf671ba0492d395fc
SHA1 hash:
a8059150d1039c5dcf52713adeafa58ecc0137c4
Link:
https://www.unpac.me/results/dd679eb1-365f-4468-b610-01f2e4a08166/
SH256 hash:
44c50087cbd9a86677ff5b898c1ad52abf5f25297179a174edcc8b81dec967fc
MD5 hash:
d012ba9057bf67c7f29871326f2af919
SHA1 hash:
1d5b8b512b37f0e1900496b578117082929654c7
Link:
https://www.unpac.me/results/dd679eb1-365f-4468-b610-01f2e4a08166/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/dd679eb1-365f-4468-b610-01f2e4a08166/
SH256 hash:
0cc2e5b30e63a14392a667b12c238c794eba4d2e6bc8f581319baf1e0efe537b
MD5 hash:
14089bb840cae4cdd835d2216b2b7c66
SHA1 hash:
3504eb5b5aaf4883aa943f22801edd99523b8f99
Link:
https://www.unpac.me/results/dd679eb1-365f-4468-b610-01f2e4a08166/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0cc2e5b30e63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cc2e5b30e63a14392a667b12c238c794eba4d2e6bc8f581319baf1e0efe537b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310226/

Comments