MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0efc0d67d9be3cbc40ab4ad49b85d9cc4bb5997211899feb7437e427831015fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0efc0d67d9be3cbc40ab4ad49b85d9cc4bb5997211899feb7437e427831015fa
SHA3-384 hash: 6495cc2d9430ffe271abbb375e401d10f6b4563bf57902d372d1dfb1a57a12db64326d5069d295c2c55fc174d475b433
SHA1 hash: 2a06deaf1ad3da40cd72528e04336f6bd0f16871
MD5 hash: f69d8f7707fd214fad1dbf3f1f1765a9
humanhash: magazine-low-wolfram-yankee
File name:f69d8f7707fd214fad1dbf3f1f1765a9
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:569'856 bytes
First seen:2021-08-11 13:59:38 UTC
Last seen:2021-08-11 17:06:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:QSgWYL9+BCta5h7woBS4y721TlFLnccwFuz4MFeuu3qAM2ZAZ3DWjitGginvQj9O:QSgB9+BC8ZBS4qHurFeuq
Threatray 665 similar samples on MalwareBazaar
TLSH T14FC44AAC365075EFC817C976CAA81C64EA60747B930BD203A05716ACDE1DAABDF141F3
Reporter zbetcheckin
Tags:32 exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
3
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f69d8f7707fd214fad1dbf3f1f1765a9
Verdict:
Malicious activity
Analysis date:
2021-08-11 14:03:14 UTC
Tags:
trojan snakekeylogger keylogger evasion
Link:
https://app.any.run/tasks/9ecce135-579b-4a0f-a96d-7ce476a547a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178292/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46773069.26909.11280.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Setting a global event handler for the keyboard
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c4853a8f-7c33-4396-9966-202a7c0cea83
Result
Threat name:
Snake Keylogger Telegram RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/831002
Signature
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0efc0d67d9be3cbc40ab4ad49b85d9cc4bb5997211899feb7437e427831015fa/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 07:44:27 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0497fc206987e992f615638411ea9da0470e2dcbcd05546d4240ef09a82f925f
SnakeKeylogger
2b2b2d652f0df53f1bdf4eead3ef92831132eacfef595043033d375dfe91c8ef
SnakeKeylogger
2ee555b4d69513eed39976e0fb0e6a6165d20c30e8a4dcc1e55ea7e001dc1127
SnakeKeylogger
ad34fe380bb9d7aca419a4da6729eb22cfc64f3003bda67acc3267cdc4ccdb21
SnakeKeylogger
bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022
SnakeKeylogger
bfa0c6d6a166011476ffd4f4fa1c2c1669c273fa945f729267fa537ce7689b44
SnakeKeylogger
c2d1f5494d37cd229d820b263c934eba39bab86570c54e207730d1c84de98393
SnakeKeylogger
f82c03c2fb967d594b083b5c743270a4f4306ddf2f90e28b39e8e56911ad915e
SnakeKeylogger
fe7933b0f7dde64587b0bbdaa5e4728066c4eb56edab2ee863ad94cf52b0391f
SnakeKeylogger
+ 655 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210811-zmnn2fp68n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
962ac80ee2ce956e16904c611e706deacabfbe4e4f4495bbafefd6095269db0f
MD5 hash:
8259c9979d28dd89385e91b394afc8b2
SHA1 hash:
01a1317cd4122e57eaad54bcf53a4a2f4fabcd5a
Link:
https://www.unpac.me/results/9c237399-08b3-430a-b938-13c1d976d1f4/
SH256 hash:
379532bed7fd679d540c52598dc97848b071c2293e6627a8f98aa18bbd88209b
MD5 hash:
6a3fdc523a13a72a5ebea603789b1810
SHA1 hash:
80f3a9f5170a3265d8a8e3623c51242ddd8a374a
Link:
https://www.unpac.me/results/9c237399-08b3-430a-b938-13c1d976d1f4/
SH256 hash:
b40cbba3227271e014967323b6e57d697b65e4fd7a670639f4886bcc11566bd1
MD5 hash:
054fb99a987094f6a4df5d6a6c42a719
SHA1 hash:
a5a48bfa00ad1f2430a315b7b9e49850ec11fa80
Link:
https://www.unpac.me/results/9c237399-08b3-430a-b938-13c1d976d1f4/
SH256 hash:
0efc0d67d9be3cbc40ab4ad49b85d9cc4bb5997211899feb7437e427831015fa
MD5 hash:
f69d8f7707fd214fad1dbf3f1f1765a9
SHA1 hash:
2a06deaf1ad3da40cd72528e04336f6bd0f16871
Link:
https://www.unpac.me/results/9c237399-08b3-430a-b938-13c1d976d1f4/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0efc0d67d9be/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/0efc0d67d9be3cbc40ab4ad49b85d9cc4bb5997211899feb7437e427831015fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 0efc0d67d9be3cbc40ab4ad49b85d9cc4bb5997211899feb7437e427831015fa

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/178292/
  
URLhaus
https://urlhaus.abuse.ch/url/1524941/

Comments


Avatar
zbet commented on 2021-08-11 13:59:39 UTC

url : hxxp://103.156.90.178/ANN.exe