MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cf5c56abe0bfddd98d9bd5ad976e99caaa170e02ca43902773c4d4c7f47bc69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cf5c56abe0bfddd98d9bd5ad976e99caaa170e02ca43902773c4d4c7f47bc69
SHA3-384 hash: 421a6a68aff96c688d326662c5cea3031551f29427742267f67a9dc55b105b93402023a7dd3d6d818b01f47c4f7c3683
SHA1 hash: d63e16a872229109d88b1e993c15caff19e45a23
MD5 hash: 5e09c20ee72f997f71e1dcc3c959f3f6
humanhash: seventeen-london-cola-oregon
File name:adjunto ,pdf.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:20'480 bytes
First seen:2022-03-24 18:27:38 UTC
Last seen:2022-03-24 20:42:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:E5vcKXwFm4p4hdRZZEo46BS/RuAiSUaepk0OOyd3zXzY4h4:S+4NZu83SUaq1LyJDzc
Threatray 3'125 similar samples on MalwareBazaar
TLSH T184925D19A3D5C673D0E94B3258F31A9097B4E2396937C71EC886133DDA5330D0A96B71
File icon (PE):PE icon
dhash icon 489669d8d8699648 (53 x AgentTesla, 24 x SnakeKeylogger, 16 x AveMariaRAT)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/257289/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.47118.25132.16269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Launching a process
Creating a process with a hidden window
Running batch commands
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/623cb83fdfdfa8501cda39d4/reports/7edc1508-2111-46f3-b8ee-ab3f56641c96/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd49ec56-a574-4a14-8628-c6faacc4cfe5
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/964146
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 596624 Sample: adjunto ,pdf.exe Startdate: 24/03/2022 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 12 other signatures 2->42 7 adjunto ,pdf.exe 15 4 2->7         started        process3 dnsIp4 28 45.137.22.122, 49760, 80 ROOTLAYERNETNL Netherlands 7->28 26 C:\Users\user\...\adjunto ,pdf.exe.log, ASCII 7->26 dropped 44 Encrypted powershell cmdline option found 7->44 46 Writes to foreign memory regions 7->46 48 Allocates memory in foreign processes 7->48 50 Injects a PE file into a foreign processes 7->50 12 MSBuild.exe 14 2 7->12         started        16 cmd.exe 1 7->16         started        18 powershell.exe 15 7->18         started        file5 signatures6 process7 dnsIp8 30 checkip.dyndns.com 158.101.44.242, 49797, 80 ORACLE-BMC-31898US United States 12->30 32 checkip.dyndns.org 12->32 34 2 other IPs or domains 12->34 52 May check the online IP address of the machine 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 58 Tries to harvest and steal browser information (history, passwords, etc) 12->58 20 conhost.exe 16->20         started        22 timeout.exe 1 16->22         started        24 conhost.exe 18->24         started        signatures9 process10
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0cf5c56abe0bfddd98d9bd5ad976e99caaa170e02ca43902773c4d4c7f47bc69/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-24 00:57:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bt24k2v6bp653ggzxvnns5xjtsvkc4hafssdsatxhrguy72hxruq._file
Verdict:
malicious
Similar samples:
0bc6152941893e5d36af2520150b93cc439e5efdb476038e6fac9a17dacc743f
SnakeKeylogger
459ffd564cff546baed72dc2ba79fff156b533600495098f319eed8239d0bb21
SnakeKeylogger
742526bc4de3287b0d55149acdc82c1578cbaae2c42066e40ac5812ed9fd3159
SnakeKeylogger
7529261b01e2f6d420aa0239c584a7d6c0022ea71ce562335d1384a03d529bbd
SnakeKeylogger
ae13fe36ae25d1c276ec9efaaa8599e186f9df2b2d742c7999b895fdf2d302d7
SnakeKeylogger
b188bb830946acfecb6674b08fd89db34c8aa2be066205f7ee50c9f8fbbe3454
SnakeKeylogger
d9c3080d262ce878565455b1d34ab1ed0c45e470cb6651de7e168150807c7d1c
SnakeKeylogger
+ 3'115 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220324-w4dqfscfd6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
0cf5c56abe0bfddd98d9bd5ad976e99caaa170e02ca43902773c4d4c7f47bc69
MD5 hash:
5e09c20ee72f997f71e1dcc3c959f3f6
SHA1 hash:
d63e16a872229109d88b1e993c15caff19e45a23
Link:
https://www.unpac.me/results/31b16669-0c36-497a-9574-5163bb652276/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/0cf5c56abe0bfddd98d9bd5ad976e99caaa170e02ca43902773c4d4c7f47bc69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:buerloader_halo_generated
Create hunting rule
Author:Halogen Generated Rule, Corsin Camichel
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 0cf5c56abe0bfddd98d9bd5ad976e99caaa170e02ca43902773c4d4c7f47bc69

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/257289/

Comments