MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ee6afd5a496180803e741eabec888e46b881060d0bf8543583bf33f297e53bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	0ee6afd5a496180803e741eabec888e46b881060d0bf8543583bf33f297e53bf
SHA3-384 hash:	0032efbd6cfbea8dcb27f31e6a8f1a647f1f1169938f75b66edc39ec6f0ea8e3a2889db925ddcc6a4440c4147e96adb6
SHA1 hash:	251a77548894db92cc31132051dd708b31722c08
MD5 hash:	72709bcf6b4fb911b17cc2fc3328c1c7
humanhash:	pizza-golf-edward-berlin
File name:	234567890987654234567890-09876.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'034'682 bytes
First seen:	2021-12-22 11:21:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	24576:o+TwV9A+lf5k2bAuvuQlSG4aOXFQQaAbNZc8CnXPa+ctE5MC44Q3Y5:o+TwV9A+lf5k2bAuvuy54aOVf1rO+kv5
Threatray	3'723 similar samples on MalwareBazaar
TLSH	T13325E0E2B980C5E1F81E4672D06B9CFA541BDD7ED91504CF2A88BEB938B74C25126C1F
File icon (PE):
dhash icon	163b71212d593b36 (1 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

192

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

234567890987654234567890-09876.exe

Verdict:

Malicious activity

Analysis date:

2021-12-22 11:24:14 UTC

Tags:

installer evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/9a5fca14-38d7-4cd8-978a-83a3673af314

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/215774/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Forced shutdown of a browser

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/2933/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/61c30a5dec6c6c14a9e9dbec/reports/fa368266-b8cd-45f2-b828-e5b392dabe75/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0f93321b-8a21-4168-b726-5c425d82a9bd

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/911498

Signature

.NET source code references suspicious native API functions

Contains functionality to capture screen (.Net source)

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/0ee6afd5a496180803e741eabec888e46b881060d0bf8543583bf33f297e53bf/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2021-12-22 11:22:12 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

6 of 43 (13.95%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=b3tk7vnesymaqa7hihvl5sei4rvyqeda2c7ykq2yhpzt6kl6ko7q._file

Verdict:

malicious

SnakeKeylogger

0fae331eb46ca1a2971d2d03cc3558e51f73c36d14b70dd731ce44f799c723ef

SnakeKeylogger

1262949670a7d19a7906a1fb188492165de2ee15099242c4659ecb09dd83c0af

SnakeKeylogger

230f53c0367ccdf77ff1f665ea66fcb2e6bb18c999b798980d8e0c9c19421eb3

SnakeKeylogger

4a5b5a531a3b114eec42bec024ce1f0d4178a109c08510311819c58e920fd90e

SnakeKeylogger

6a7753dba591a0f953c07a4e13ef1682c3839bcc380545a647da6e24bef41786

SnakeKeylogger

7153013d7578222f3968cd387f215335e1fe4438a04bac26a33e6433cce92031

SnakeKeylogger

abffc06bc8ef92890372152d4a281c82183c34d5be27ee128f7920c0cbfc705a

SnakeKeylogger

+ 3'713 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/211222-ngkaqafcg3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Looks up external IP address via web service

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

0ee6afd5a496180803e741eabec888e46b881060d0bf8543583bf33f297e53bf

MD5 hash:

72709bcf6b4fb911b17cc2fc3328c1c7

SHA1 hash:

251a77548894db92cc31132051dd708b31722c08

Link:

https://www.unpac.me/results/e55d0ca8-5312-400e-a8b1-364008c9b856/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0ee6afd5a496180803e741eabec888e46b881060d0bf8543583bf33f297e53bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 0ee6afd5a496180803e741eabec888e46b881060d0bf8543583bf33f297e53bf

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/215774/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample