MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f651ba14b0d8a07828c32cc6a22cc5f624a92292be93a6b4773cbcad935bc1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f651ba14b0d8a07828c32cc6a22cc5f624a92292be93a6b4773cbcad935bc1c
SHA3-384 hash: e442f2c09802279d5f45d540ccfd313ff3ce23cc15c8c6f09edecd68d135dd8986fe042fbd8b17be7537eb8d75551e15
SHA1 hash: 646a788ac005157401610e1ac8abc27c0a73e45c
MD5 hash: 02fd5912c6eac9a6456704470ea4832b
humanhash: bulldog-comet-ack-lima
File name:INV CONFIRMATION.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:1'020'928 bytes
First seen:2021-02-10 07:09:17 UTC
Last seen:2021-02-10 09:24:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:ABSAdehfZIKEIHFn6eLARvnJMunxRXVRPwsk7lIzGLoZi:lh5EIZ6SARvn6WnDIsGrLe
Threatray 352 similar samples on MalwareBazaar
TLSH 2025D026F659BA30F0A8377398B1477042BEAC125A21E52F7EDC369C19B67DC45D3E02
Reporter abuse_ch
Tags:exe SnakeKeylogger


Avatar
abuse_ch
Malspam distributing SnakeKeylogger:

HELO: gmail.com
Sending IP: 45.137.22.102
From: Sales <janattbs7@gmail.com>
Reply-To: Sales <janattbs7@gmail.com>
Subject: INV CONFIRMATION
Attachment: INV CONFIRMATION.ace (contains "INV CONFIRMATION.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INV CONFIRMATION.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 07:16:24 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/c6b830a4-de47-4ba9-9318-10bef9e08d8d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116373/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36323271.20677.27585.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/603961
Signature
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f651ba14b0d8a07828c32cc6a22cc5f624a92292be93a6b4773cbcad935bc1c/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 04:24:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5srxiklbwfapaumglgguiwml5reverjfputu22hopf4vwjvxqoa._file
Verdict:
malicious
Similar samples:
1c84bef1753422b7ef164c3d89dc0966041bd694b0946b5d2cb1c9b971e3ca81
SnakeKeylogger
2aa2a644cc059d9314a783e295e4c35102ffce374e2bf1b49f8fb8631ffdbb65
SnakeKeylogger
4f11e57e682eba91e574e673edce45efab46c20ad2d98826fb1b0880adee2aa0
SnakeKeylogger
5a20f6f027d90e3efde8d079ab00d86d925f8975d6e8c69e601cf23572eeebeb
SnakeKeylogger
5a2ce470fbe1babd44df83899f5909e3dcd031bc95de5a748f473f288084de7a
SnakeKeylogger
641c0aa7cf4d3a8dd646a8a295e8c3f66ea01eb4bc86547c90b52390ca04c2b9
SnakeKeylogger
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
SnakeKeylogger
7bf28130b0141b6ae9b4b4bb71c7a300d9025944e08db4206eff5d0bc8a3b264
SnakeKeylogger
a730154eedce8c175f18e82c1102e01a7ee94fd74cbee7df85b473233ea764e6
SnakeKeylogger
cd1cdd19d3500f9947de10caa28d3fad75bc207faa10b7f9f7aab88c720dea1b
SnakeKeylogger
+ 342 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger ransomware spyware stealer
Link:
https://tria.ge/reports/210210-jrmjjqb7vx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
519b69e7efe4f5bd26edeb11f63c4789a9d4514593f6a83a81e48d4abf39f711
MD5 hash:
6d896fee9e903e409a7006eecd769641
SHA1 hash:
ecbd1774fcfa11bd2d18bc8cde479ec71b6085c9
Link:
https://www.unpac.me/results/e1d4b1f3-e4a6-4469-8cdf-d5b51366a3e5/
SH256 hash:
b8d2575d5f6b94a91a98470957a2e07ef47d89ca144bc3c8c9bddb8d60b55c99
MD5 hash:
a8d77c9f4be051d52ab1d844af7c2ccc
SHA1 hash:
cc8697dbd4836f2fedb18ddcd01c347821e904dd
Link:
https://www.unpac.me/results/e1d4b1f3-e4a6-4469-8cdf-d5b51366a3e5/
SH256 hash:
6c8b5f7d040222dc9c544a1b185dd23d33750f93dd5d7b20845d7246a2b005e8
MD5 hash:
20f9572ddafeccfe0ce53599f1f9d5e7
SHA1 hash:
6c9792ac3d5b7fffc3c7a6e14163845d3e2f7c6b
Link:
https://www.unpac.me/results/e1d4b1f3-e4a6-4469-8cdf-d5b51366a3e5/
SH256 hash:
0f651ba14b0d8a07828c32cc6a22cc5f624a92292be93a6b4773cbcad935bc1c
MD5 hash:
02fd5912c6eac9a6456704470ea4832b
SHA1 hash:
646a788ac005157401610e1ac8abc27c0a73e45c
Link:
https://www.unpac.me/results/e1d4b1f3-e4a6-4469-8cdf-d5b51366a3e5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f651ba14b0d8a07828c32cc6a22cc5f624a92292be93a6b4773cbcad935bc1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

zip c6cf964f44ab8812f5eaeb1ae37fd1193b4e0cdd80142682a344de1f650e904c

SnakeKeylogger

ace 47f4843c3dbfa0d801e05161c5891aedd252a09aef20e5b4c0b420f599456dec

SnakeKeylogger

Executable exe 0f651ba14b0d8a07828c32cc6a22cc5f624a92292be93a6b4773cbcad935bc1c

(this sample)

  
Dropped by
MD5 3c92dd00fa34486aa4048e914996f4e9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 47f4843c3dbfa0d801e05161c5891aedd252a09aef20e5b4c0b420f599456dec
Cape
Cape
https://www.capesandbox.com/analysis/116373/

Comments