MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15cff1e96f3e53bed8732e1941086ab69123e8937918b03122a80e0dce4abbc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	15cff1e96f3e53bed8732e1941086ab69123e8937918b03122a80e0dce4abbc1
SHA3-384 hash:	288594786008df96549cdcd6102e1b0a7d41425388bcc4db6805801663bc5880c4d8e170ad49a7910181df87a757e550
SHA1 hash:	bfce9ad1fdb514770f486aac3b4dbc044e24e183
MD5 hash:	a8cf69d5851a9d0573b8441576ce0118
humanhash:	low-arkansas-cold-lemon
File name:	Q1fcYSf0PPkurWF.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	754'176 bytes
First seen:	2021-05-28 05:53:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:XDrCK920nNlUKVCyo2E6Ftj1Zz0N4R/xZtU:XfCK/NlP8B2E6Tjfzldt
Threatray	23 similar samples on MalwareBazaar
TLSH	6DF47D2D1698075BD17DD3B9CEE4801393E0F527B222FE9D98C503690B5368AB99733E
Reporter	cocaman
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Q1fcYSf0PPkurWF.exe

Verdict:

Malicious activity

Analysis date:

2021-05-28 05:54:24 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/61e5cf00-7f8c-4860-9a01-813e4e534811

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/162886/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.763-1.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/793648

Signature

.NET source code contains very large strings

Found malware configuration

Injects a PE file into a foreign processes

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Beds Obfuscator

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/15cff1e96f3e53bed8732e1941086ab69123e8937918b03122a80e0dce4abbc1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-27 21:35:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 46 (23.91%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cxh7d2lphzj35wdtfymuccdkw2ish2etpemlamjcvaha3tskxpaq._file

Verdict:

unknown

SnakeKeylogger

08f8fb048455eaa71cf153651e2c8643e1669ad29be5f523de0b8bb39996e92c

SnakeKeylogger

3dde92f19924860f0874ee0fe3fab80a1112c20e18d9782528bd7c471f0f2344

SnakeKeylogger

3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd

SnakeKeylogger

5b7c7d4bf17521dddc7ee1accfee37d1b50e89f634e7c67439ae92dcef4c32e3

SnakeKeylogger

8ca38b4cf8849e7b7d18cc8afdae915c4dedc2f5aaca4b9a4fd57bdfd5e25a25

SnakeKeylogger

ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8

SnakeKeylogger

ca54068918281e4c84cdd17b0a834f9518cda57c362d82a8393bcae117af33c0

SnakeKeylogger

cc93a9e201ac4c87c3bad57865bea80244c9ecbeb9a381ba467a81fe1b86a015

SnakeKeylogger

d3ed59aa66458ead040f4d4b8e0df0e90b5ed1301102b9913516317feca3fbaf

SnakeKeylogger

+ 13 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210528-3fb5zh4qla/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/15cff1e96f3e53bed8732e1941086ab69123e8937918b03122a80e0dce4abbc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing URLs to raw contents of a Github gist