MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16b163153461d9b752ae96aa43450d3092e701d22e867d3ad5941b2b72bdbb18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16b163153461d9b752ae96aa43450d3092e701d22e867d3ad5941b2b72bdbb18
SHA3-384 hash: 39e745ef6a8115658a72a68b062a4ca704831098052997e0284e00c411578a1510147d7191d10edeb4a53529a28cc2fe
SHA1 hash: 13171f34fd020d2ee4c8e3e6d9854827459fa2d0
MD5 hash: 41959b740bb57fd1b6ea8b4af1b6e24f
humanhash: vegan-xray-floor-butter
File name:41959b740bb57fd1b6ea8b4af1b6e24f.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:951'296 bytes
First seen:2021-08-20 15:04:51 UTC
Last seen:2021-08-20 16:12:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:qpG0iZi970m+e3W2pYmNGyF0nWQDHjRU13RCeibTSG:qpGrZ2TYmcYSdU18eib
Threatray 1'253 similar samples on MalwareBazaar
TLSH T17415163C19B91637D1B5D375EBE49423F258985FB400EE69ACDE03A7031AA8734C726E
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
41959b740bb57fd1b6ea8b4af1b6e24f.exe
Verdict:
Malicious activity
Analysis date:
2021-08-20 15:05:27 UTC
Tags:
evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/ba5aaa82-2a85-425f-8d3f-6e53b66d6898

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180984/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.DZG.genEldorado.17389.8736.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b9a0570-5871-400d-9c89-7aa44d8f3e2e
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/836511
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16b163153461d9b752ae96aa43450d3092e701d22e867d3ad5941b2b72bdbb18/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-08-20 15:05:13 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c2ywgfjumhm3ouvos2vegringcjooaosf2dh2owvsqnsw4v5xmma._file
Verdict:
malicious
Similar samples:
300255f5b9216ec3e80aeb8d74b644f7b8ec836c56eee077c793ae348514dcc4
SnakeKeylogger
3c7961a3ee40fdec4c40a44d5e7b8f1324ee0a3f4c5c4b439683064b229a08e2
SnakeKeylogger
5c48b185c563d651a20fa4c212d08550810f1fd459351ece28509805061b19be
SnakeKeylogger
792d5d8408b4fc83ba11e298c876d53ffa027dbc46502f2e837aa7f47f30e0fd
SnakeKeylogger
7a7f77fc4dd808cf0bc818fb9a05c0c1a9a9a21cd06e9982b014b8e4e3824562
SnakeKeylogger
7d6908ae43fb741400ac24a976de03ee6e72a8a306e3fdea805aa4257fb93f1b
SnakeKeylogger
941a701614e8220c3599ad892dc9ce472fef5f7747df9e718ad8e1403851754c
SnakeKeylogger
bb037304cfd0d902a0b498ec07ac1820b400f7741b6b6c4e9e823e9c4868f473
SnakeKeylogger
c8ec3993f019e1eb809a9087b55a63fca50e09670c5e7747f499af35869fdd7b
SnakeKeylogger
c9ab4dba9b10e882c2ea49177ad2f66cc4370c395c7e4b4199a3b268b40f89dd
SnakeKeylogger
+ 1'243 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210820-rksbyrkc4a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/a1b24d88-580c-4dcd-b04a-15cb42904dee/
SH256 hash:
4e8a5a4ed2190dbbeb166c206ce6424a5008f0ac192e992888172373920fbaba
MD5 hash:
b374dd695bdfb58ffaf138474ab48523
SHA1 hash:
87a1ddc0d9bb8c023524303d98be53b8529962e6
Link:
https://www.unpac.me/results/a1b24d88-580c-4dcd-b04a-15cb42904dee/
SH256 hash:
fbb5c9312b4594cbdff5a1438f9105ad44f0bbf6ffab00c70a821dae3c677d77
MD5 hash:
c0725a0a676a2c2748a55b6887af3dcd
SHA1 hash:
1cf909628ecf064dcdf4ad14c0e534bee68cf1a3
Link:
https://www.unpac.me/results/a1b24d88-580c-4dcd-b04a-15cb42904dee/
SH256 hash:
16b163153461d9b752ae96aa43450d3092e701d22e867d3ad5941b2b72bdbb18
MD5 hash:
41959b740bb57fd1b6ea8b4af1b6e24f
SHA1 hash:
13171f34fd020d2ee4c8e3e6d9854827459fa2d0
Link:
https://www.unpac.me/results/a1b24d88-580c-4dcd-b04a-15cb42904dee/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/16b163153461d9b752ae96aa43450d3092e701d22e867d3ad5941b2b72bdbb18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

Executable exe 16b163153461d9b752ae96aa43450d3092e701d22e867d3ad5941b2b72bdbb18

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/180984/
  
URLhaus
https://urlhaus.abuse.ch/url/1541343/
  
Delivery method
Distributed via web download

Comments