MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11ec5629d8faba1d833f479be2741e05dbf9cf4e391a651afef4ed3b4f9b8cc8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 10 File information Comments

SHA256 hash:	11ec5629d8faba1d833f479be2741e05dbf9cf4e391a651afef4ed3b4f9b8cc8
SHA3-384 hash:	2580bebe25e56c18adb0ce7964a68d6f0b82e0390a309c3b1cc723d5e4b14dbcdfa6499f68f0bd11264bc4fd22fbbc1d
SHA1 hash:	ac9319644fb88e04255497f0462f18ccd391b709
MD5 hash:	e3edc417be072edc95357b41c5901d75
humanhash:	april-victor-zulu-four
File name:	lLwIMX6OKZZo7VL.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	788'480 bytes
First seen:	2021-08-05 16:52:10 UTC
Last seen:	2021-08-05 18:14:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:JoR6qg27BkyL7lERH7m6WyySyCB0CzU11:Wsq7BkyL767wyRyCB0/1
Threatray	1'626 similar samples on MalwareBazaar
TLSH	T1DFF46B2229EF158DF3B3AB750FC4F8BE56EAE573571AB0B638910B464322940CD61736
Reporter	James_inthe_box
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

lLwIMX6OKZZo7VL.exe

Verdict:

Malicious activity

Analysis date:

2021-08-05 16:53:18 UTC

Tags:

evasion trojan snakekeylogger keylogger

Link:

https://app.any.run/tasks/1d921555-2ea0-4c5a-94fd-0c934a008b66

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/176752/

Detection(s):

SecuriteInfo.com.Backdoor.Fynloski.A3.4056.24905.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/08fbfd55-7ba8-4721-8c73-d0d0405093bd

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/827542

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected AntiVM3

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/11ec5629d8faba1d833f479be2741e05dbf9cf4e391a651afef4ed3b4f9b8cc8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-05 11:13:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=chwfmkoy7k5b3az7i6n6e5a6axn7tt2ohengkgx66twtwt43rtea._file

Verdict:

malicious

SnakeKeylogger

36b9146fd7d45954b83a4da982270bc9274240acf44a683ef71e7387f784053a

SnakeKeylogger

4c25557b1d7a360b69a1ff457e63b31351e438dde35661a85550c403fd8f0d1a

SnakeKeylogger

82a617b8169608e73ce761f98793ee01e8d6c936bd2f0a7048f1fcb9bea283c8

SnakeKeylogger

9228b7e3b6bebf36bd59a1d3245eb162316e12220422e721931f70e77cd687b3

SnakeKeylogger

94e80a1ae01277f8276fc861bead165e7edbf6590bec7f6da1cc42cf45d87495

SnakeKeylogger

bd0c6248385512dedcb4b5fc5012463cd11ae4e6e2ef2de612621b868fbb9687

SnakeKeylogger

c9fae10d5d7d2177caff01384688e386f651232e5ff24c1729b4db443f857fd9

SnakeKeylogger

e07fbf3b9adba7e4aceb5cc6804c0002ee01c000d4e67ff3227f59eb9949c80e

SnakeKeylogger

f5f438857e1d75cd3a0c7c8d8fde494ec31705db16f19e3d026d9f09e503fbf5

SnakeKeylogger

+ 1'616 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210805-6sd397jlhn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Unpacked files

SH256 hash:

aed00f82f1772e5a403cce9c1349202c8371e67ed9ef19a33cac0bf2a411f3c1

MD5 hash:

c273f926e2a29bd62cc8f27b569a0b2a

SHA1 hash:

e08d302cab3e11d776599a6b0537207fce6f9c51

Link:

https://www.unpac.me/results/6c8b9720-6bde-47e9-b712-ac13dbe49c05/

SH256 hash:

f05d226e1b959fe6ccb5473ffe30fbfd3238c3683c29ab6e7816d0977e903190

MD5 hash:

0818596893fe7117703fd15607e278f3

SHA1 hash:

c89dd19f26222617f1176dc25a83b84ddbf5d492

Link:

https://www.unpac.me/results/6c8b9720-6bde-47e9-b712-ac13dbe49c05/

SH256 hash:

02963e9d50882e2e9d6803cb1c8de3a352bfae5d1b330920dd0c241bc5376310

MD5 hash:

878638695214abc29e8fa025128dcbd7

SHA1 hash:

62fa2a396747fa591314948158d1d21eb3d226e2

Link:

https://www.unpac.me/results/6c8b9720-6bde-47e9-b712-ac13dbe49c05/

SH256 hash:

11ec5629d8faba1d833f479be2741e05dbf9cf4e391a651afef4ed3b4f9b8cc8

MD5 hash:

e3edc417be072edc95357b41c5901d75

SHA1 hash:

ac9319644fb88e04255497f0462f18ccd391b709

Link:

https://www.unpac.me/results/6c8b9720-6bde-47e9-b712-ac13dbe49c05/

Malware family:

Mal/Generic-S

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/11ec5629d8fa/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/11ec5629d8faba1d833f479be2741e05dbf9cf4e391a651afef4ed3b4f9b8cc8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/176752/

URLhaus

https://urlhaus.abuse.ch/url/1508986/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample