MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 185b0943e47ff2499a805f751a20dfd58ef018e9e20f170a51cfd9d009992803. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 11


Intelligence 11 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 185b0943e47ff2499a805f751a20dfd58ef018e9e20f170a51cfd9d009992803
SHA3-384 hash: 54a5a69b34117315365e0cb60e61be0bffb58cf17046674bc785351b31d115351d085c4d7f3f58f574be3e7659a3188e
SHA1 hash: 777a6477ce223ee70348d28c1a789d29b8a6d1f0
MD5 hash: 229fc8af13dd6426cdd18ff1b3ca4198
humanhash: cold-ack-magazine-connecticut
File name:New proforma invoice payment #SF 02693266.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:657'408 bytes
First seen:2021-08-17 14:11:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:cp0tkaHe+/8gGVNgEeTCy+5y4/QhNDtFwI1CP3snobfYG8/jSueTZiWNMIuWbyS:G0t1PLFwI1vnOx
Threatray 728 similar samples on MalwareBazaar
TLSH T17DE47D2039FA511AF173AFA55AE474969BAFB773360BE41D149103CB0723F40DE91A3A
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New proforma invoice payment #SF 02693266.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-17 14:18:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f0c0e0f2-7a88-4e87-ae4f-4bcf205e0d9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180096/
Detection(s):
SecuriteInfo.com.Artemis229FC8AF13DD.12195.2489.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Sending a UDP request
Unauthorized injection to a system process
Forced shutdown of a browser
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4e6ca66-37d7-488d-af24-cce8a5bade03
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834427
Signature
.NET source code references suspicious native API functions
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Process Start Without DLL
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/185b0943e47ff2499a805f751a20dfd58ef018e9e20f170a51cfd9d009992803/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-17 14:12:42 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbnqsq7ep7zetgual52ruig72whpaghj4ihrocsrz7m5acmzfabq._file
Verdict:
malicious
Similar samples:
1bad27962e547d124508b0d4cf410099897016d06a60ef51badf5fb67b95771e
SnakeKeylogger
252225cfd4ec7a7b61e5138d1587a4a212909f596004b8a157fe9f0ed4c6496b
SnakeKeylogger
4e449fdff6df1acbaba9250bb8cb66e4674d49be190c0c9070ca3f5b8ee73435
SnakeKeylogger
9ff44ba44707bbdda0a858a2d0c11725b146fb4671ed91295ce2e0a3ac8b175c
SnakeKeylogger
bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022
SnakeKeylogger
fe7933b0f7dde64587b0bbdaa5e4728066c4eb56edab2ee863ad94cf52b0391f
SnakeKeylogger
+ 718 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger spyware stealer
Link:
https://tria.ge/reports/210817-sxd7ncrzen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Snake Keylogger
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/c7d9b2a0-f7ac-40c5-a03e-05dbff2df7a1/
SH256 hash:
2cb4ef6ec5d38ba8fe828258bcc118e2efa309ee20c883394a31d1e40ddd9fd7
MD5 hash:
c4fa7c30a1cfa60c99772ba1396a094a
SHA1 hash:
c5962bed213ac7a3efd7503d32139ca2f1a7e1eb
Link:
https://www.unpac.me/results/c7d9b2a0-f7ac-40c5-a03e-05dbff2df7a1/
SH256 hash:
1888b25856c1914bb0adbfaf24259a74e9f195113126a19f432110dcd608f5af
MD5 hash:
7d94ef04a25267868b551c89fa870ac9
SHA1 hash:
085227fc7c39db831bbbc6043770a54a0c0f5708
Link:
https://www.unpac.me/results/c7d9b2a0-f7ac-40c5-a03e-05dbff2df7a1/
SH256 hash:
185b0943e47ff2499a805f751a20dfd58ef018e9e20f170a51cfd9d009992803
MD5 hash:
229fc8af13dd6426cdd18ff1b3ca4198
SHA1 hash:
777a6477ce223ee70348d28c1a789d29b8a6d1f0
Link:
https://www.unpac.me/results/c7d9b2a0-f7ac-40c5-a03e-05dbff2df7a1/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/185b0943e47f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/185b0943e47ff2499a805f751a20dfd58ef018e9e20f170a51cfd9d009992803

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 185b0943e47ff2499a805f751a20dfd58ef018e9e20f170a51cfd9d009992803

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/180096/

Comments