MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c
SHA3-384 hash:	f3c25e11949b4ef949bc9a83abcc6a81b73768eba3bb2951541558bd095011423c2e56e19947cf1f56ace44d2f54fd03
SHA1 hash:	6ac3522f2ca5016163e4628dd34540ac9c265d98
MD5 hash:	3c707a76b1c6c53e381e5da078ce8997
humanhash:	grey-timing-apart-muppet
File name:	INV 317437.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	275'750 bytes
First seen:	2024-01-19 16:37:10 UTC
Last seen:	2024-01-19 18:21:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:KYa6wCcfGAtjzSSWr+LL97alHLpS9pzEYzUUG3Z:KYGCcOAtjzSbrYwlHLYGU0
Threatray	5'913 similar samples on MalwareBazaar
TLSH	T137441225A2D5C42FC4B10FB04775C7A22EAFA4351459A32B73A16B6B3D33E5186BE321
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	eaea92b2f2e8acb2 (5 x AgentTesla, 4 x SnakeKeylogger, 2 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

322

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/471728/

Detection(s):

SecuriteInfo.com.FileRepMalware.29662.11050.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65aaa56edca4dca481de2e35/reports/3a092bb3-24eb-47ec-bea0-3f75d0bddd0a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f270a8db-1ac4-4627-9132-59fc09484f4d

Result

Threat name:

NSISDropper, Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1377614

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected NSISDropper

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c/

Threat name:

Win32.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2023-04-06 08:38:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 37 (72.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cf4tiaja2fo2mfohk3ivb326kqllv7sbztoaeb62mp4io4lxdfga._file

Verdict:

malicious

SnakeKeylogger

1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c

SnakeKeylogger

861560fab6adef6b87a9ca272f91f8979bc28e85f120a390dadad92bccf77996

SnakeKeylogger

b8c9a4161e9621de6e7fa177230bd3841a575a00f0456b54efab368046479722

SnakeKeylogger

ce19714fd8b8b9cb4f76411015264d61db6d9ffd534676df96627a3f06f75250

SnakeKeylogger

e046ceab4b255e8af9af409eda3c2f1135bbd3dae0cc9af9b0102c9b054e66a5

SnakeKeylogger

ea93863c147402b54407c3a1eff90043b55e76a08aa3ff4a8823469dd4d9def5

SnakeKeylogger

f628e27a84dbc19429086451a325881429a530b7f8e67089e1759cdbf03ffcf7

SnakeKeylogger

+ 5'903 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/240119-t5dezahhak/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot6180860165:AAH5meoxRqYOnd7z0M_zkiqQ7pmOf_hbrUY/sendMessage?chat_id=6077046490

Unpacked files

SH256 hash:

a6933c87abc8301a501a23bf8788692959d21ebc9389898278c39497d3092bcf

MD5 hash:

ed84e675015789b204e8deace5caa12e

SHA1 hash:

e7e13a71b81902916e43157f55516b0328d7f7c4

Detections:

snake_keylogger

win_404keylogger_g1

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

MAL_Envrial_Jan18_1

MALWARE_Win_SnakeKeylogger

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Link:

https://www.unpac.me/results/c0852218-b34c-4005-b3b5-393f1c89a532/

Parent samples :

e6664291d17d4d53254f9f87f99ccf49c8369ca4e2d1dc9b9f8a22c734b15007
5f06140929035fe344541f46f70e19e7ebca5a0bdafed473759788fda29bf3bf
6b38029a4a148a0851ff3b6ae46eceb149154ac575836a7989661acf5a89d471
3557c86a8e99ac9a2b803da17e337187eb4f2d7645760889ed3738730118ed6c
8c0e721552c34db7f85815bb3dd9e2847df1deffdb9e889fdf23127a8a81d2f9
571a662f9f434bfede9e6c79294bfd87fa23e7f93918e4824590b961f5b10d85
a6933c87abc8301a501a23bf8788692959d21ebc9389898278c39497d3092bcf
3355b6fac696f3aad246fd34404a407dd9a7945f540537ec695bb1cb75c337c0
48b3525f35a068cb4ec4d6a9206bb06f0f44c968860b01ae3eb44342aecc43f4
9ac31ae0a27c73e4e7fb6bbe525d772f8a165853c5eeda99a0c0cfba280d2c14
bfc766d53661d8b9941f98d7ae4a6b57bf133159bdcdaa0c05dd8510ddc43e9d
1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c

SH256 hash:

fa131fed0362cbd98e12e073818807863b6b2ceccffd171195766ef2cbc943fe

MD5 hash:

4ff4dd6b2d5590693bacb36cb0c985f7

SHA1 hash:

e0f855a738cf4b620e947821606e60d406071540

Detections:

snake_keylogger

win_404keylogger_g1

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

MAL_Envrial_Jan18_1

MALWARE_Win_SnakeKeylogger

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_DotNetProcHook

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Link:

https://www.unpac.me/results/c0852218-b34c-4005-b3b5-393f1c89a532/

SH256 hash:

0c69de10bce3bbdea0a2db0caf5a79b3864d4d4da59bcae89f08e5b468350681

MD5 hash:

a125ad645e6565297bab29355475dbad

SHA1 hash:

0c1b472760f288c6a31181165f2ceef63ea69fae

Link:

https://www.unpac.me/results/c0852218-b34c-4005-b3b5-393f1c89a532/

SH256 hash:

1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c

MD5 hash:

3c707a76b1c6c53e381e5da078ce8997

SHA1 hash:

6ac3522f2ca5016163e4628dd34540ac9c265d98

Link:

https://www.unpac.me/results/c0852218-b34c-4005-b3b5-393f1c89a532/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1179340120d1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 1179340120d15da615c756d150ef5e5416bafe41ccdc0207da63f8877177194c

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/471728/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample