MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 171ff6b3d368a4c40980281ba104d126a2afc86a143bd9c510c3ba6ce5235ddc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	171ff6b3d368a4c40980281ba104d126a2afc86a143bd9c510c3ba6ce5235ddc
SHA3-384 hash:	1d59732e7a30eb05da4bd8a00e4b111e1d619ac836644d1a2d6d95b7275e4c2aa5b25f344d83ef33e2deea3d3a2fe368
SHA1 hash:	9d4711f831f968f0c7fb36c8320fd8ed997fdec7
MD5 hash:	86f91968cd7d305e26eb4dcd0f8f9328
humanhash:	music-uranus-nineteen-fanta
File name:	liqefe_03817_029.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	1'116'160 bytes
First seen:	2022-03-18 08:18:32 UTC
Last seen:	2022-03-18 10:22:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:R/3G9vi0sZafqkAZstcJjKpr3L2WTaQ9Kf3W0fj:t3ivi0FfRA+tcg2pQ99+j
Threatray	420 similar samples on MalwareBazaar
TLSH	T1CE3522683F748652F2AF47F4A0A346848FF5614A241ADB9EDD8170F80C137D9862F6B7
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

203

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/252303/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.26954.6907.23078.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Сreating synchronization primitives

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the %temp% directory

Launching a process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe keylogger obfuscated packed replace.exe shell32.dll

Link:

https://www.filescan.io/uploads/6234407f0cd58dbd92b51078/reports/f3b8b960-d13f-448d-9e83-fa485e8a9c1a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eac8fa34-86e4-46ea-87b5-597f35492db9

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/959358

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

snakekeylogger

Link:

https://mwdb.cert.pl/sample/171ff6b3d368a4c40980281ba104d126a2afc86a143bd9c510c3ba6ce5235ddc/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-03-17 18:13:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c4p7nm6tncsmicmafan2cbgre2rk7sdkcq55triqyo5gzzjdlxoa._file

Verdict:

malicious

SnakeKeylogger

8d88527fc05bf49544ea2119528bc24bd08e75f2cb3b526a641d6a684ed9bc1f

SnakeKeylogger

a306a3946f4b31aa9c89320318bd2060a71077850d735ec94fe1cef950d0d9d3

SnakeKeylogger

b36891ab4a7fa6be1680a65614dd5551a3fa8a89052c381a954601eedd82e62c

SnakeKeylogger

d0682e8ae437e258bb8e46323307f862a27456b98a3d17fe137377023a67cea4

SnakeKeylogger

d269c7c4d85ccaae8e2c32de7aae67335d136859d6cd3b24af23eba6d5c6f561

SnakeKeylogger

d89f28603b8948dd7217e42366328a6e9bd05d59e5de67a4c39f207f8a520d43

SnakeKeylogger

f8221d4ffae4d38465210c76fd7705734eb37ced44b1caffc3d65618515f2204

SnakeKeylogger

+ 410 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger stealer

Link:

https://tria.ge/reports/220318-j7t6dsgfd9/

Behaviour

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

SnakeKeylogger

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

0577a3c709f12ed97bbb25deb65f111cf55b7ec978d6fbf2a9841b0f875245fe

MD5 hash:

ef9a2eaa3b2b12d05d9aeebed6c25265

SHA1 hash:

e7d025b5ec931f65f7631e326c57f24ac9ae5b03

Link:

https://www.unpac.me/results/32826177-bb26-45c0-ab94-3fcd17ca4010/

SH256 hash:

ea0653bd520242ff2fd4a81a1b946d0a7c6511b346e19b92eaed9b9261c0626d

MD5 hash:

e27fb0ab301cfbf00ed1e42703429510

SHA1 hash:

c23df235001d1d5794d0e63d548cbb7ae645eaa7

Link:

https://www.unpac.me/results/32826177-bb26-45c0-ab94-3fcd17ca4010/

SH256 hash:

849d515b7b594dfff3d9e95c8b487ac7b69995316b547d7c83dabcc90bfe770a

MD5 hash:

f9ceb6d40fc70efdef9149c3a4c58671

SHA1 hash:

c110e8cd368020f87a578d9849780bd7e3ccc08a

Link:

https://www.unpac.me/results/32826177-bb26-45c0-ab94-3fcd17ca4010/

SH256 hash:

6ff21c090296e9fd3ec2b17e03e184e2396adf4013b2a4f4c9dea5bd7aff38f7

MD5 hash:

7c3fb3e3d91e338ae917c4cb46895e71

SHA1 hash:

ba577b8ccb3c6bbc5e9e3a838aec98859cd4dbaa

Link:

https://www.unpac.me/results/32826177-bb26-45c0-ab94-3fcd17ca4010/

SH256 hash:

171ff6b3d368a4c40980281ba104d126a2afc86a143bd9c510c3ba6ce5235ddc

MD5 hash:

86f91968cd7d305e26eb4dcd0f8f9328

SHA1 hash:

9d4711f831f968f0c7fb36c8320fd8ed997fdec7

Link:

https://www.unpac.me/results/32826177-bb26-45c0-ab94-3fcd17ca4010/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/171ff6b3d368a4c40980281ba104d126a2afc86a143bd9c510c3ba6ce5235ddc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/252303/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample