MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 132f4b687fca2ea6031d2c08c51ffb634bbed67545c0a2e8f62c1e0e137782a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 17

Intelligence 17 IOCs YARA 12 File information Comments

SHA256 hash:	132f4b687fca2ea6031d2c08c51ffb634bbed67545c0a2e8f62c1e0e137782a2
SHA3-384 hash:	95f3f4eab67ed423f724ac04bf6bf68b48920265b9d5ffb2d373215163f76839adffd017eae708ed6668c550a03633d3
SHA1 hash:	4532867389682e6baa4380d8d1c25aef9820b836
MD5 hash:	2425462d4d190b94ad8e1470cde3e037
humanhash:	carpet-leopard-network-missouri
File name:	FYRERTY9876789.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	348'137 bytes
First seen:	2023-06-10 10:02:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep	6144:/Ya6lTfu5+D+QJnnxwjIRjnnqHUut6f15pEnBXU7kMQKIgackKb+MV/9sdn:/Y3TRJXtnqbEqQzQKIwV/9sdn
Threatray	4'867 similar samples on MalwareBazaar
TLSH	T1467423AA53D09827E73849726C335B170FFA9A164528734B1B585B8DBB3F2429F6D303
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

FYRERTY9876789.exe

Verdict:

Malicious activity

Analysis date:

2023-06-10 10:15:35 UTC

Tags:

evasion snake keylogger trojan

Link:

https://app.any.run/tasks/0f4d122e-1828-45c7-ad68-167c64753d6c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/397513/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.67425520.561.13291.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Unauthorized injection to a recently created process

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/90174/overview

Behaviour

MalwareBazaar

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

lolbin overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/64844a5b3d73a4d71709fff6/reports/b2a73178-1471-4d6f-96b7-f6aad11874cd/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/132f4b687fca2ea6031d2c08c51ffb634bbed67545c0a2e8f62c1e0e137782a2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4803e7ed-155d-4e9c-a679-16b0aab00a26

Result

Threat name:

NSISDropper, Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1252351

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Yara detected NSISDropper

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/132f4b687fca2ea6031d2c08c51ffb634bbed67545c0a2e8f62c1e0e137782a2/

Threat name:

Win32.Infostealer.Mintluks

Status:

Malicious

First seen:

2023-06-07 19:14:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 37 (67.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cmxuw2d7zixkmay5fqemkh73mnf35vtvixakf2hwfqpa4e3xqkra._file

Verdict:

malicious

SnakeKeylogger

15994314eaefe9e800a2f5028dcf65d886e15f35089df8bf6d114e954a601e6d

SnakeKeylogger

19b2a3829ed8eb3ff4a36bd542c114c3b28b23c64dfa4560db86e4f902d7f7a2

SnakeKeylogger

4ab558181de9bd2dd00dc75eb66840c18c9243c62d72ee90d4e037d9be472721

SnakeKeylogger

5f4d2798e71ac2cd0315a6d1ed4c5fcb51d445bdf60a574d51ca673b90172780

SnakeKeylogger

cd8f48ff53a64677eead33cd179d5215e63e59d5e5bcd9cdddf2c3876f638027

SnakeKeylogger

dfe752002f955e1facba9518dc6ac3854b9aa6ec196fcc22068f41e4f5c87cf3

SnakeKeylogger

f453407e0d8ba9650704045d1f0722f70e9ab9ee1460b88c97f937842b02f585

SnakeKeylogger

f4cd4df9815a2c3902f07a5389fa171f3fd6b27ae1e9af262d19d6bd286ae9cd

SnakeKeylogger

+ 4'857 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230610-l3cfwsef26/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

e80af42df958d85f6fa152ac16f921dfde54b92d96f7df32df3b54f921ec90b9

MD5 hash:

5627d8c0f4d49827d97fa4206a85371d

SHA1 hash:

b469c5e42163eb9b0bffec86aa13550314241f07

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/2e7e79e1-8120-48db-9ee2-8cf9551a6265/

Parent samples :

132f4b687fca2ea6031d2c08c51ffb634bbed67545c0a2e8f62c1e0e137782a2
47fc03f67fe9678fcc2a68bfd2fe0d75dec153ba66f84088395020b28cc7307f
ce4992ca463fe9ea22b26f0f8f0ff933c680226947870a0cbb07402d04f9dbe4
62bb51a5a9b90f4e6969abc219a75378eb3cb58d224df2a41644d5691ff69565
91f9a73b2cefb5ed67e573cdb63eaddf9e6f4e5b05391fd874b5df71bee8b4d0
93133ecf9797168ced685ba72754f542dfb00f20054adddad2b528c6685e8cfb

SH256 hash:

45cdcfa900e29da834773efb5c7307543858d950f04b1827cd6d7821bf032970

MD5 hash:

16cb6481909980a9488e7c46b5cb7214

SHA1 hash:

8a2feec2a594fd83b1c27b91caeb1770f9336c1f

Link:

https://www.unpac.me/results/2e7e79e1-8120-48db-9ee2-8cf9551a6265/

SH256 hash:

6a9f1f270f9d2dc01ed90fea727a564e2b47b1459b00ecbaf012eb75421aecfa

MD5 hash:

c08b368de50b636515ec38a0e29510c8

SHA1 hash:

769fb8ea7d9343a23e42ef8aa56e269e1328945b

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/2e7e79e1-8120-48db-9ee2-8cf9551a6265/

SH256 hash:

132f4b687fca2ea6031d2c08c51ffb634bbed67545c0a2e8f62c1e0e137782a2

MD5 hash:

2425462d4d190b94ad8e1470cde3e037

SHA1 hash:

4532867389682e6baa4380d8d1c25aef9820b836

Link:

https://www.unpac.me/results/2e7e79e1-8120-48db-9ee2-8cf9551a6265/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/132f4b687fca/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/132f4b687fca2ea6031d2c08c51ffb634bbed67545c0a2e8f62c1e0e137782a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Windows_Trojan_SnakeKeylogger_af3faa65 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/397513/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample