MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 127830a62577141d565621749c3234430b47b3c502057e493f26ed0dcec07bbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	127830a62577141d565621749c3234430b47b3c502057e493f26ed0dcec07bbe
SHA3-384 hash:	8edd096890797421d57968723126eac53981ac86b3e05b754519aef8eefe2935e820fef5aa6052e98399a8ba94880646
SHA1 hash:	f85e5f40228132699d8703fe4aa904c8a22ba0e6
MD5 hash:	dea0793a4fd6ec5a3cadc8ca3ad8c27f
humanhash:	oregon-mirror-artist-delta
File name:	SRTPO8765434.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	2'455'040 bytes
First seen:	2023-03-22 15:54:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep	49152:K59zMNe/OkZI6oVJ5Yz1tZD1V5NQSrBnbx:AzyaO26J8ZD1V5Nftbx
Threatray	4'694 similar samples on MalwareBazaar
TLSH	T1C8B58C51FCDB24F1EA43153248A762AF2335A9091B319FC7DA447B7EAC736E10E32256
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

251

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SRTPO8765434.exe

Verdict:

Malicious activity

Analysis date:

2023-03-22 15:55:28 UTC

Tags:

evasion snake keylogger trojan

Link:

https://app.any.run/tasks/018e41bf-0911-43ac-af06-e58dcbcf5640

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/376513/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Searching for the window

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-vm golang greyware packed

Link:

https://www.filescan.io/uploads/641b24da2fbc9ad18a032422/reports/b45d9519-35d9-40ed-9661-2b875cbce71e/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/127830a62577141d565621749c3234430b47b3c502057e493f26ed0dcec07bbe

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cb14ceff-cc2d-4fda-9f79-1e3a0dcb4f58

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1199571

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/127830a62577141d565621749c3234430b47b3c502057e493f26ed0dcec07bbe/

Threat name:

Win32.Trojan.SnakeStealer

Status:

Malicious

First seen:

2023-03-22 15:55:10 UTC

File Type:

PE (Exe)

AV detection:

12 of 24 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cj4dbjrfo4kb2vswef2jymruimfupm6faicx4sj7e3wq3twapo7a._file

Verdict:

malicious

SnakeKeylogger

6af36c9fc050eaf0914a5b314986c7333ef5cf2ea5de0e9ad6e48e584e2e7f54

SnakeKeylogger

6d2189719085c6f3191fd868643aae9449bd49c5e6a0076f5112b7281130b99d

SnakeKeylogger

70d3e45f0a41222ee06aa33124206699e822e01114b968b80d1419013fd9a623

SnakeKeylogger

8c4cc2077f0eab36be58bb86b34035f1b9c133902630526f609ff0c194f4f236

SnakeKeylogger

a482218c80bb91030f21119952bad2383fc9a5b69dfcd954b5b80585858fbd56

SnakeKeylogger

+ 4'684 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230322-tcsn7abf7s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

6b1646cae206c3977333ca175b4fc99a268946aaf077113ac58d145ff81b05f0

MD5 hash:

00827e6622a47f00eaf058048f68fdc6

SHA1 hash:

4f4fed6a3b41947c31606c021dcd85c2418c7885

Detections:

snake_keylogger

win_masslogger_w0

Link:

https://www.unpac.me/results/5a51cffc-6a83-44ed-ba4d-806d55ed0e66/

Parent samples :

1987fa6b63ed8d2f64737821ca499b149fcbe2e40603e17286bf93f617e4e592
ec1a34d7b26c74c2317cd761daf0f2d9450f4e48dd56aa17509fcdc6c0ee9944
a7f45e16d4de69870e1c909816a18e19020395a376cf1e87b7d2b796449581b6
12d684dc6293ecb2947de99c40e912949d0a7aa0f88a36286974d38e9d3a6da9
f989d70e0e40249271d4914577a34c5b1a67b4a87e0449c73a86eb77a2aab841
6c4603792620d60d3a30955ccfa24a9a124d15ddb3d247142429e6b7fda31985
7cc808f5e3a9f254b3b05549e8e794f261da1c8f425ec40c3b330195098a2aec
0c6f4e98596c6b3523cb53d8dfd7b97c5eabc2a8886faa597cf2df340084a469
c8e5da5d94006e08ab1bb069102abaac24bba18c458ad2253527a29380cfdf51
574b663cb074fdaed7a8547be4f1bd63db86890183be645fa974187fb8388eb1
c375bf8a18680d0924c42bb9186586c7a283e7fe5d694843a76ac28b7d7b68f2
2d5e23c7c124931451c0f6f6e2bfd9d2510d389d24ef7068432db4a614994edb
ddd13188012f2ab66d6300c211ac1b523fa961189c1641b7f6a87ac788847eb4
ec2e042ea645af3049e6c80611ab7d2342126a20e1fcd69b7c0d9b561fe8618e
250aefa18813a746a7afe9b5af2f61b6972a93dac083fbb3927a1450e289cf3f
b3b327cf422053ccf6aeb08c70a57a85f3a52da94b5ca9e2a1e6520ed630b158
e212039a61d1fb964079d3f771fb74836f5a63b4f2810a726443b58738c90630
9fce8f16eb02aa37c6dc59bdf7d09046feca27a4fa2cd15244e6e0947240e199
f6158d2ee9af4fe58d8619da25612129e0458c183f4c111f5e1fb067d48e8df3
5979638071b5f7d1795f076373eed65567a97b4718c2ba64089457d40b121dbd
b2834fbda2beaa3ed4bdbf4875a86ef2edac55b9b591e4b2be8c932c84da0c9b
61f1b536a2ab183f57b84adf9accd0c7ce6962762cbf9ab7fd840c7906d0076e
9d0c2f628bd27df59962d8bad944c0503b268181dce74a1572784e7d2013d4da
dada401d839fe7633bfb6ac6eaccc52ed7cca124969dd054862899713473934b
a482218c80bb91030f21119952bad2383fc9a5b69dfcd954b5b80585858fbd56
2ddda5c6de649237a34fe6f3f0a0b67df66dc4e86c55209e5bd3a004a915adab
8c4cc2077f0eab36be58bb86b34035f1b9c133902630526f609ff0c194f4f236
e7150df51b706a52e607fc812ff8c9febddbca6adebefb931564051e48ab9162
f94bb542164c2ac1b8f2f207e081da7f2ef3ab63682805d59816b043b38cccde
13bb6c74c0a1a9f7563616be31fb58ce7cf9beaee0430254f7210a56146cf2f3
238273a3d50b0c40415594d5aa508fb25f953c9de3c51daaece5fb32d59d8fea
72b181d59770dcaddda4ce1495382864b97bf3082e2c781728a6d63ce973f2ec
6139cc037c4c49df4c2baa69e1169461fa6914e400cb10ce4bb131be92d9e351
02690278f8242674740078dd4144388a73bf0f1dc7eb774dcbd707483b36fa28
5c5b97d9687f8c191d73f54c9dbb072408653e35384c74937e76d9c8b66cb8b5
787178a60494aee44d6fba6d37681bc7fddb2fee0046160837865d132834ee2f
ed9aba3d4fade4c29b6a66f051599cdf8a71400ae20eec11a0ed73c269f8bbd8
bb7a912870f7781f6a0bf62e2829d1b823a127260a74700f3ed297fec8a4f48e
37ec17b984be1afaaffe48be2b0246562059a19a47cd3754b45463fee298dd15
e5927c51626ff4b4b10e88a896f5b9c16534f11aa552d5464349df13a2e2d0d4
a336a946f7f2dc33357ee8a60016d5a0a3a16c611c7d900e2b19b774a73f93c6
710b154952348e5b6f737c409592424c3566bd81eaad44720d537ffa97adf566
c8317eada3d729d3b0a2b4afff1526b1f3ce48325976c25cfb54a78919b8a019
e8b78446ff8b425ba0a37651e89c482b49b006797563eb2ba5af1a51edb8e246
430dbb439bf85fd2a8846a43c0b0615305ef25ac8b9496d272c2dbefd3158ed2
100dfcd60258fe2192e9aed947e4e8d16ce17f282a4dfdb0285124c35d324fc6
c69743fdc823a97e577cdc0b1047fe3831effc6ad48cbbad5a5af8b8dc6854c3
be8be06fa5160cfe2efa9d8d0e799be21719524264a8a48809a75f313d552190
4c9d3b34998e804bf18826c27ca97832bcf025b8c574c5e9568761488f2cb4d5
ffeffa6c4359ac6ffc742690bd5cb330bf45554b48540051d5c0bc79eb8ab450
6ab15f6959f0917527ff91e7a7ae7ced81db6a30e7f3bc1f67cec0a793be130d
d583e836532465abed3cb8e846456dd434981306430d1d0a5b21df82c912dcbc
8f1b10cc8901ffea4d9a12f9253671e10d9b0541d83c9105b3c9db5e89b48fc1
6b1646cae206c3977333ca175b4fc99a268946aaf077113ac58d145ff81b05f0
6de3cd6f7d024797c62c9aba98e119105efc81642291ecdb1eb2d43cac058cf6
b8e927343a7acf6d50da571ada5e02e72bfe535e3ae75717a4265a52c16a6b9a
ad1e4a02216fccadf1561c087639fe249e8e2399c27ae710bc69512e54e0f7b3
3f65ccba7892eb21f35f35ff176e758f06f5729cf23a4a1b0f1786c1cb8a0d1b
fc17ba6315d5f3c960e71b83916b52fb28f50bc24cf7a765e37c9144e29e3835
bbc2bbbd1072ae529ad5d23fb041c5248b92dad9ddc9f1c8697ecdd92c51c055
4a15cf8a8aa91e9476b77dc6a43d2c4e77b054e832c34d9caffca441e32bb0db
e2ded1a5f3b81f06c607bc47890ae1539a7511cc8bac2f31d13cf425a0dd8233
6af36c9fc050eaf0914a5b314986c7333ef5cf2ea5de0e9ad6e48e584e2e7f54
8e2f0e43aab7f3c7b21d818a1fb6ce0829a69ee1ff1e7f99ed81b77d80117943
c6f24c1fb6934142bc9a42cfd28756c57751cbd12f42193a21f9f27506a00d99
d623080798004304c79d4746c8404aee704a734168e6090ca02ba351ce3e08a0
df9e601ddae3e9fe179e967d25193787a6c39c54665691fa86c18f3ea1296582
5e46b27a0da622e495de07db892615de8a1d91204b657402f85d1bc0bb00d349
a335efa110fb01b83f389b3f1355c6c00f1eedd155fd91bae5d9de9861ce60de
127830a62577141d565621749c3234430b47b3c502057e493f26ed0dcec07bbe
7ce31e6b544440abdb2bce652942a8506fbac9d90c5a5c34668d55319c8ab0f0
ae06f16315bf567f7ca9539d13a3742d06aefedb553863936ba56a4efd2b4aed
e99086181ac130803fd5f3443f5485ecb3de67acd2f129f888e6ce1b8a2da20a
b95e54c0b6066159485e8a176a73dba6325ef8c0cae97e0b818abbbd70c5afc9
0a3efd4da63b8892d55c9b5018961f354b98bb2f2c5232ac682bb7cb0c03c04b
0186bf3e0a41a68f2f5e2b74cfb4ef604b1d6dd4058fa653204f50adf19c94c9
c91682dcf66a8d060da6b17fcc631f65e2c759eb300c148ed950ad822d81bee6
79a10af0de5ed3a53f84e7a5f8aa3a53e09dfc43f9113bb893758338147fc3ce
48834270a70765c001a06f747884bc5289db6859b56609d0a7f2d1fd30cbb18e
c39e7fba3249a4dce3553e26dd8d2024c0250e89510ba022d036fb8201642c67
bcf6b40b84433a52a69d309590fdfaa30d13464b0ba83b9380a808ebf1a56716
21bb03f0edc9d1584da0a469bad83726ed17ce463aa2570d1c2ec74b23d22bcf
a7ddbe5d449df517e310e1982be8b8ac30691950a8d424f8eddfea80561cd332
3399fc936d74594ca467f3e0224eba655e854ea064f0c11f311ce6c72f3dc009
ddc7d24e5b1c79a929518d52c3e769a434ad770c7282aa4e1c23ed78bad5a439
e68187fa7d7293996751255a331a96cf766d07d45d835570403b8c1363a72d69
a3d4d0bb2ecaa41c14f3a779d8f128334eb569d8eead54b75f8b45e0457d8ce3
03f8dbf1f3cd5848a4b4bb6777b2143b3a6dd8bc34faa4f732509a7f539a2c64
4707406289ad536e4093ed4dbe358209a9b0ce37d32e91e36b1d25f874f23d94
19f5a1432457383a9f992ee9b9ebf5e719b3709dc630146a083843a582d6996f

SH256 hash:

127830a62577141d565621749c3234430b47b3c502057e493f26ed0dcec07bbe

MD5 hash:

dea0793a4fd6ec5a3cadc8ca3ad8c27f

SHA1 hash:

f85e5f40228132699d8703fe4aa904c8a22ba0e6

Link:

https://www.unpac.me/results/5a51cffc-6a83-44ed-ba4d-806d55ed0e66/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/127830a62577/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/376513/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample