MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1997d0db749ed1dfc24d90ea0fcf6af634aa34b5bd2b9ad35932493f67e9fdce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	1997d0db749ed1dfc24d90ea0fcf6af634aa34b5bd2b9ad35932493f67e9fdce
SHA3-384 hash:	556a1f790a41db02daf3cd105ae531f8bbeb784378db317c5ea4a9305e898d91e8976c980ea4e9d7213bd0b5ddfc58ad
SHA1 hash:	790fe9b655289c7379cd100d3401a1d08da199e8
MD5 hash:	bf6133744240674055bdd0b7783cea73
humanhash:	idaho-oven-saturn-nuts
File name:	rCIMB-Transfer_Advice-202310301849809.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	337'920 bytes
First seen:	2023-10-31 10:55:21 UTC
Last seen:	2023-10-31 12:54:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:MCKABMNiti0sBlU5gKB1lwPnGPLes5sOUvszaMzyMFsPe35bgaG/QQD:MfA6bhu8noLes5sOUvsziML35bgaGT
Threatray	5'808 similar samples on MalwareBazaar
TLSH	T1A07412E7DA5407B2E53353F5B238A1E8123AB061710CEC56AF42B8C444BE75EEF51BA1
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	FXOLabs
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

360

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/457350/

Detection(s):

SecuriteInfo.com.Trojan.KeyloggerNET.54.5282.27523.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed remcos

Link:

https://www.filescan.io/uploads/6540dd472e754890e47fd46b/reports/dd47aae2-f125-498a-9482-4b5518fedfbc/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1997d0db749ed1dfc24d90ea0fcf6af634aa34b5bd2b9ad35932493f67e9fdce

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6de87ef5-9fdb-41a1-baf9-37f17fb5ba46

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1334817

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/1997d0db749ed1dfc24d90ea0fcf6af634aa34b5bd2b9ad35932493f67e9fdce

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1997d0db749ed1dfc24d90ea0fcf6af634aa34b5bd2b9ad35932493f67e9fdce/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2023-10-30 07:24:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dgl5bw3ut3i57qsnsdva7t3k6y2kunfvxuvzvu2zgjet6z7j7xha._file

Verdict:

malicious

SnakeKeylogger

6ee1e5991a0d9c2fe23d62b4d13a6279cf121eb49c0675a23050fa5bceee9d37

SnakeKeylogger

765daa6202872b486382897bb06f4e17522fc29173677ea38e6e3451c5fb5d3e

SnakeKeylogger

7cdaec4816187a281084f9274bed4893b2d850bad9ceb7d0bdd4571fbbaa5cb7

SnakeKeylogger

9b8823dcdaeeea59ec64f4718bff9619d1d0c24e4953a0002d6dc96a12f330be

SnakeKeylogger

b3c45a636fbb907b7a96dc9bb2986f698ca375524c61507a5fe414a940f72b16

SnakeKeylogger

b88bee1afe7b8d9a9eb11c6293e552e0c4e91eef2bc3fe8984d65216f566a59c

SnakeKeylogger

bd38a5ec8fe7f50647e8d16d119058656f5099d99ef1713081add04dcea453fa

SnakeKeylogger

f6c2d0b8bd9246f4e0d5dae254b54f621d22ddd43ab1014f91777c4334c42865

SnakeKeylogger

+ 5'798 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/231031-m1nxksfe91/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Unpacked files

SH256 hash:

5ae79aa1af070bcd6e99fe79b2d2a545aff6104e63911f4f43eed04741eb91d6

MD5 hash:

aaccc935f129404dc5138e0ec2b00c50

SHA1 hash:

e3e9530534c659184e65c46850362110dbef08f0

Link:

https://www.unpac.me/results/efca5069-8ead-474a-a75b-7881d60e18d0/

SH256 hash:

2df81b7a7580dd8099502f1caaf6ecf3af80d9b04ffe32cf2ac7834d944cc1f2

MD5 hash:

4cfae6afed1c1626499592c0d6711f93

SHA1 hash:

9f41bbd487e22867d3942e0db7a394ae00a69009

Link:

https://www.unpac.me/results/efca5069-8ead-474a-a75b-7881d60e18d0/

SH256 hash:

f0a87916130077ac9b1fe4f3637b490c75b11f20b9675204f1c03dbb0d2eb4a8

MD5 hash:

f1abfd848b46500fe77bb35944a6ac1d

SHA1 hash:

9211f229134109e0a298261e7c4d8ea944fb0b39

Detections:

snake_keylogger

win_404keylogger_g1

Link:

https://www.unpac.me/results/efca5069-8ead-474a-a75b-7881d60e18d0/

SH256 hash:

1997d0db749ed1dfc24d90ea0fcf6af634aa34b5bd2b9ad35932493f67e9fdce

MD5 hash:

bf6133744240674055bdd0b7783cea73

SHA1 hash:

790fe9b655289c7379cd100d3401a1d08da199e8

Link:

https://www.unpac.me/results/efca5069-8ead-474a-a75b-7881d60e18d0/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1997d0db749e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 1997d0db749ed1dfc24d90ea0fcf6af634aa34b5bd2b9ad35932493f67e9fdce

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/457350/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample