MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b7416ccd14d77c3e32acd8de94d7a3e41d7c615ce2fe04ab9254025fade1464. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 9

Intelligence 9 IOCs YARA 8 File information Comments

SHA256 hash:	1b7416ccd14d77c3e32acd8de94d7a3e41d7c615ce2fe04ab9254025fade1464
SHA3-384 hash:	a3cedd821004adc0f6fa9acfca6f44f724b1a7c06ee859e6614fe8686ae1e22d237abe25a29cb13ad13659b47d835ef1
SHA1 hash:	12173902ddd86e520055c09c2ec33528bd272411
MD5 hash:	139d42abb395bab309612cb3bd31b4bd
humanhash:	nitrogen-jersey-autumn-pasta
File name:	IMG-433665587656789565467654-9873.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	449'943 bytes
First seen:	2021-07-26 13:07:37 UTC
Last seen:	2021-07-26 13:51:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d4cc1601fd324eebfdf856765dda2bd4 (3 x Formbook, 1 x SnakeKeylogger, 1 x RemcosRAT)
ssdeep	12288:Vf1cG+DGoqS09iJOCDyjqkoocU9rF0vdSPntqW5B:vDGlJOljvoC9rGvIPntzB
Threatray	356 similar samples on MalwareBazaar
TLSH	T101A4F12538C0C473D877283008F0D6B16A2EBD720F65998F77815739AF356A2A616F6F
Reporter	lowmal3
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

157

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

IMG-433665587656789565467654-9873.exe

Verdict:

Malicious activity

Analysis date:

2021-07-26 13:10:11 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/aec86864-4f37-46c1-8dd3-9647c43810e9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/174127/

Detection(s):

SecuriteInfo.com.Win32.Kryptik.HLVG.8259.13161.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Sending a UDP request

Unauthorized injection to a system process

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f70633b2-8f8f-4fb9-a97b-2c9fe76fbfcf

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/821787

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected Snake Keylogger

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

Win32.Spyware.AveMaria

Status:

Malicious

First seen:

2021-07-26 13:08:06 UTC

AV detection:

19 of 27 (70.37%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dn2bntgrjv34hyzkzwg6stl2hza5prqvzyx6asvzevacl6w6crsa._file

Verdict:

malicious

SnakeKeylogger

0a37b966b67a5ae6f09f284f453bf83944916dec7f8676be4a712cc92a3fc186

SnakeKeylogger

19114d1f7709bcabb6ea19c9145267e114a403a690975c6eac5c8478ed278cf2

SnakeKeylogger

2ee555b4d69513eed39976e0fb0e6a6165d20c30e8a4dcc1e55ea7e001dc1127

SnakeKeylogger

549b1c385da022b7a956a88993359279d053227adf005eacc80e92d340921958

SnakeKeylogger

8cafbdf8e6cad776ad993ca3bdd470f5fc7d7fa1e2853df483f951204022943e

SnakeKeylogger

f60897df461030a6640c3877dd00d8dda07166f66ba3fcbff47f1a41d8dd8127

SnakeKeylogger

+ 346 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/210726-zl2mxtrrn2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Unpacked files

SH256 hash:

1a8dd42e3d190970ff37a780adee81c831f223b36cbe4197e76068e78d49573a

MD5 hash:

b83c8ee0c89f6123847775644f9949bc

SHA1 hash:

20d08bcb364edf05b7c29b0e126148c5bdbb1042

Link:

https://www.unpac.me/results/2fcd0cd9-e2a7-4212-93a4-065a1760442c/

SH256 hash:

1b7416ccd14d77c3e32acd8de94d7a3e41d7c615ce2fe04ab9254025fade1464

MD5 hash:

139d42abb395bab309612cb3bd31b4bd

SHA1 hash:

12173902ddd86e520055c09c2ec33528bd272411

Link:

https://www.unpac.me/results/2fcd0cd9-e2a7-4212-93a4-065a1760442c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b7416ccd14d77c3e32acd8de94d7a3e41d7c615ce2fe04ab9254025fade1464

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICOIUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

exe 1b7416ccd14d77c3e32acd8de94d7a3e41d7c615ce2fe04ab9254025fade1464

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/174127/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample