MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b4322eaa16e3d5e78993498dce2b9e3823bf553055039d328155e1b4f6df00a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b4322eaa16e3d5e78993498dce2b9e3823bf553055039d328155e1b4f6df00a
SHA3-384 hash: 953f4cb4d8f5e22385a963457ba87558bb194d315b4650f64a3251b8d15b97aa108d07b46df6fc0cd05d2c1b902962a5
SHA1 hash: 1529f1106ad9041daf04794114f80892cd65ccca
MD5 hash: 807a4ab93574aee9637e3be4c181046b
humanhash: eighteen-cold-nuts-nuts
File name:SHK04567000987654567890000000009879.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:679'530 bytes
First seen:2022-12-29 19:32:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 12288:GENN+T5xYrllrU7QY6BYqC5fGLctSfIxx6Bqcx4WWHt:K5xolYQY6BYNGLOtxQbKt
TLSH T162E49EA6EA40D0AFFAA642F0F87364F576226DB6C6A05C5F6196BE01747214330B770F
TrID 58.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
22.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10523/12/4)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 00e8c0e8e8e05500 (1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SHK04567000987654567890000000009879.exe
Verdict:
Malicious activity
Analysis date:
2022-12-29 19:36:44 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/65e3a3a4-0284-4150-b089-d9f5780d546b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Sending a custom TCP request
Creating a file in the %AppData% directory
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process by context flags manipulation
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63adeb7340e878e304211693/reports/680ce449-05a9-4621-887c-e771feab7ff2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b3c1d9c-ba6b-449c-ae10-1a1350ff31bc
Result
Threat name:
CryptOne, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1142866
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to capture screen (.Net source)
Creates an undocumented autostart registry key
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 775596 Sample: SHK045670009876545678900000... Startdate: 29/12/2022 Architecture: WINDOWS Score: 100 108 Snort IDS alert for network traffic 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 Antivirus detection for dropped file 2->112 114 10 other signatures 2->114 11 SHK04567000987654567890000000009879.exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        19 6 other processes 2->19 process3 file4 78 shk04567000987654567890000000009879.exe, PE32 11->78 dropped 80 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 11->80 dropped 140 Installs a global keyboard hook 11->140 21 icsys.icn.exe 3 11->21         started        25 shk04567000987654567890000000009879.exe 19 11->25         started        142 Query firmware table information (likely to detect VMs) 17->142 144 Changes security center settings (notifications, updates, antivirus, firewall) 19->144 signatures5 process6 file7 74 C:\Windows\System\explorer.exe, PE32 21->74 dropped 132 Antivirus detection for dropped file 21->132 134 Machine Learning detection for dropped file 21->134 136 Drops executables to the windows directory (C:\Windows) and starts them 21->136 138 2 other signatures 21->138 27 explorer.exe 1 24 21->27         started        76 C:\Users\user\AppData\Local\...\cotcmgemj.exe, PE32 25->76 dropped 32 cotcmgemj.exe 1 25->32         started        signatures8 process9 dnsIp10 94 vccmd01.zxq.net 51.81.194.202, 443, 49704, 49705 OVHFR United States 27->94 96 googlecode.l.googleusercontent.com 142.251.31.82, 49701, 49702, 49703 GOOGLEUS United States 27->96 98 5 other IPs or domains 27->98 82 C:\Windows\System\spoolsv.exe, PE32 27->82 dropped 146 Antivirus detection for dropped file 27->146 148 System process connects to network (likely due to code injection or exploit) 27->148 150 Creates an undocumented autostart registry key 27->150 156 3 other signatures 27->156 34 spoolsv.exe 2 27->34         started        152 May check the online IP address of the machine 32->152 154 Maps a DLL or memory area into another process 32->154 39 cotcmgemj.exe 32->39         started        41 conhost.exe 32->41         started        43 cotcmgemj.exe 32->43         started        45 cotcmgemj.exe 32->45         started        file11 signatures12 process13 dnsIp14 88 192.168.2.1 unknown unknown 34->88 72 C:\Windows\System\svchost.exe, PE32 34->72 dropped 118 Antivirus detection for dropped file 34->118 120 Machine Learning detection for dropped file 34->120 122 Drops executables to the windows directory (C:\Windows) and starts them 34->122 130 2 other signatures 34->130 47 svchost.exe 5 4 34->47         started        90 checkip.dyndns.com 132.226.8.169, 49709, 80 UTMEMUS United States 39->90 92 checkip.dyndns.org 39->92 124 Tries to steal Mail credentials (via file / registry access) 39->124 126 Tries to harvest and steal ftp login credentials 39->126 128 Tries to harvest and steal browser information (history, passwords, etc) 39->128 file15 signatures16 process17 file18 84 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 47->84 dropped 86 C:\Users\user\AppData\Local\stsys.exe, PE32 47->86 dropped 100 Antivirus detection for dropped file 47->100 102 Detected CryptOne packer 47->102 104 Machine Learning detection for dropped file 47->104 106 3 other signatures 47->106 51 spoolsv.exe 1 47->51         started        54 at.exe 1 47->54         started        56 at.exe 1 47->56         started        58 18 other processes 47->58 signatures19 process20 signatures21 116 Installs a global keyboard hook 51->116 60 conhost.exe 54->60         started        62 conhost.exe 56->62         started        64 conhost.exe 58->64         started        66 conhost.exe 58->66         started        68 conhost.exe 58->68         started        70 15 other processes 58->70 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b4322eaa16e3d5e78993498dce2b9e3823bf553055039d328155e1b4f6df00a/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2022-12-29 15:22:05 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
37 of 40 (92.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dnbsf2vbny6v46ezgsmnzyvz4obdx5ktavidtuzicvpbwt3n6afa._file
Verdict:
malicious
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger persistence spyware stealer
Link:
https://tria.ge/reports/221229-x9h3sshb9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Snake Keylogger
Snake Keylogger payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aa5ef932-7126-480c-919e-496fdc366d56
Unpacked files
SH256 hash:
0cb7515d41e9e1d0676c9bd8a452b3d052d1c229557e653940173a970e1ecf8d
MD5 hash:
f14b88e3705c468a06430f4a45cfb48d
SHA1 hash:
7904e10118a74ae6e2b3e7990689e1b7359ac83e
Link:
https://www.unpac.me/results/ea7c33d8-8ea0-47f4-bfd5-d7380ed5b7d6/
SH256 hash:
87f71063ec3e53670ba3160c518966288b8584e143acf3aaa658fdb724a87a4b
MD5 hash:
7bb01a029532504d4e54681c729116e4
SHA1 hash:
fc7e674decc60252196ffe02539b1ce88303ec68
Link:
https://www.unpac.me/results/ea7c33d8-8ea0-47f4-bfd5-d7380ed5b7d6/
SH256 hash:
1b4322eaa16e3d5e78993498dce2b9e3823bf553055039d328155e1b4f6df00a
MD5 hash:
807a4ab93574aee9637e3be4c181046b
SHA1 hash:
1529f1106ad9041daf04794114f80892cd65ccca
Link:
https://www.unpac.me/results/ea7c33d8-8ea0-47f4-bfd5-d7380ed5b7d6/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1b4322eaa16e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b4322eaa16e3d5e78993498dce2b9e3823bf553055039d328155e1b4f6df00a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments