MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1486a2ea19a9a383f1b5ce201a4a0ef973269094c87faa9458cfe913dd1e4a88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1486a2ea19a9a383f1b5ce201a4a0ef973269094c87faa9458cfe913dd1e4a88
SHA3-384 hash: d4126920977b32a97139ca7c14bd913f20ded16a825b4fa173b19b5710702f0e15058383d7109b896a2b3eac80a78c52
SHA1 hash: fe4cedfa403a32311227871410e0abf998b6b8ef
MD5 hash: d89078bbe0d8a9268aafaff40e113ed9
humanhash: florida-august-table-juliet
File name:file.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:770'281 bytes
First seen:2021-01-31 07:45:36 UTC
Last seen:2021-01-31 09:58:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 12288:TA1gEF4z+pekJAhB1hGMJqmsTKqWXFmYRSPWU4sIT7j7Rb3Khm2fAP3:TA11CSw/hBKDmsT6RcPT4sIPj7N+MP
Threatray 32 similar samples on MalwareBazaar
TLSH 08F42BD1F190C89AED6B05F1BD2BA93024D7BE9C94A4410C569DBB1B76F3342209FE1E
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2021-01-31 07:47:30 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/84644651-c164-447a-ace3-da569a4a0b82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114922/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Creating a file in the %temp% directory
Creating a window
Creating a file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Modifying a system file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/594725
Signature
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 346400 Sample: file.exe Startdate: 31/01/2021 Architecture: WINDOWS Score: 84 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Snake Keylogger 2->42 44 May check the online IP address of the machine 2->44 6 file.exe 17 2->6         started        10 file.exe 1 24 2->10         started        process3 file4 18 C:\Users\user\AppData\Local\...\TestProj.dll, PE32 6->18 dropped 20 C:\Users\user\AppData\Local\...\System.dll, PE32 6->20 dropped 46 Multi AV Scanner detection for dropped file 6->46 48 Writes to foreign memory regions 6->48 50 Maps a DLL or memory area into another process 6->50 12 MSBuild.exe 2 6->12         started        22 C:\Users\user\AppData\Roaming\...\file.exe, PE32 10->22 dropped 24 C:\Users\user\AppData\Local\...\System.dll, PE32 10->24 dropped 16 MSBuild.exe 15 2 10->16         started        signatures5 process6 dnsIp7 26 checkip.dyndns.org 12->26 28 172.67.188.154, 443, 49755 CLOUDFLARENETUS United States 12->28 30 192.168.2.1 unknown unknown 12->30 32 checkip.dyndns.org 16->32 34 checkip.dyndns.com 216.146.43.70, 49742, 49743, 49753 DYNDNSUS United States 16->34 36 freegeoip.app 104.21.19.200, 443, 49746 CLOUDFLARENETUS United States 16->36 52 Tries to steal Mail credentials (via file access) 16->52 54 Tries to harvest and steal browser information (history, passwords, etc) 16->54 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1486a2ea19a9a383f1b5ce201a4a0ef973269094c87faa9458cfe913dd1e4a88/
Threat name:
Win32.Trojan.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-01-29 10:53:05 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=csdkf2qzvgryh4nvzyqbusqo7fzsneeuzb72vfcyz7urhxi6jkea._file
Verdict:
unknown
Similar samples:
1fb769b269392860ff1951b079f7b8cf4bbe22e09a856e15fbb7a5426aa6a109
SnakeKeylogger
2a5bce88201c08a0bda97ea99db198b3a278b4f42c4ff7d0defb82b38b93d180
SnakeKeylogger
2f4fc1a5a5dccb324dcfac0022a391260fec5b2f2620b52d884f2b853a9a4471
SnakeKeylogger
3c7886c5214abc2bbc597d2afe1f28e443c75cfa7e368bec941a1b78bcf7eb12
SnakeKeylogger
66d01b6b49a09223921380d6359a4010a7e701dd620410200c61e34ff59a7aaf
SnakeKeylogger
73d7814c16c97737ef3c337788edbed7d6523a6ace4d429289e9b9b55a6bd072
SnakeKeylogger
b8fd90ea39eaa1c4f5cd065194403d851eda875f49f1de95d1f506039dc1a7ff
SnakeKeylogger
b9df96522a30d05a026ab8874eef5ddae02042585e4cc5773909838250cf2635
SnakeKeylogger
d6dd125366422144fd21e2281699aeb71fddd1680d2b73c968558a3e68408f60
SnakeKeylogger
f74318d49a5910f77a11bf60335a1a00fabf658fa498a8c03ed7d28d5749ed5a
SnakeKeylogger
+ 22 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence ransomware stealer
Link:
https://tria.ge/reports/210131-wwwc8ascla/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
1486a2ea19a9a383f1b5ce201a4a0ef973269094c87faa9458cfe913dd1e4a88
MD5 hash:
d89078bbe0d8a9268aafaff40e113ed9
SHA1 hash:
fe4cedfa403a32311227871410e0abf998b6b8ef
Link:
https://www.unpac.me/results/89c59ffd-5f16-46db-8e56-cac5f26a731e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/1486a2ea19a9a383f1b5ce201a4a0ef973269094c87faa9458cfe913dd1e4a88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 1486a2ea19a9a383f1b5ce201a4a0ef973269094c87faa9458cfe913dd1e4a88

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/114922/

Comments