MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bad27962e547d124508b0d4cf410099897016d06a60ef51badf5fb67b95771e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 10 File information Comments

SHA256 hash:	1bad27962e547d124508b0d4cf410099897016d06a60ef51badf5fb67b95771e
SHA3-384 hash:	3eb6e6be39c25c2fd323051b1cd84d631ae4291ef2e68a3b849d944e842d7fc160a365c694a15c5f154831392f0135a5
SHA1 hash:	01b43477d3412a248d23c7c3a832b0e085547ef0
MD5 hash:	4ff5e0533b3d8e8bd3dcf3de18e02fd8
humanhash:	batman-emma-minnesota-asparagus
File name:	product layout.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	548'864 bytes
First seen:	2021-08-14 06:48:57 UTC
Last seen:	2021-08-14 07:56:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:p9NTD2ltlodV8B80yyHcGS3bIYw18mloELLtd/zvTxBHxFno8:q5flRT
Threatray	704 similar samples on MalwareBazaar
TLSH	T10CC4492439FA501AB173EFA95FE474E6DA6FB6333B03585D1091038A4723941DEE293E
dhash icon	32ceaeaeb2968eca (42 x SnakeKeylogger, 23 x Loki, 9 x AgentTesla)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

product layout.exe

Verdict:

Malicious activity

Analysis date:

2021-08-14 07:02:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d23d4222-fcec-4e18-8a01-36d4c3fc2f47

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/179158/

Detection(s):

SecuriteInfo.com.Variant.Barys.5541.24961.5376.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a file

DNS request

Connection attempt

Sending an HTTP GET request

Sending a custom TCP request

Reading critical registry keys

Creating a window

Sending a UDP request

Forced shutdown of a browser

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/80d64e4b-cad7-4560-8706-f2087adaa7e9

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/832826

Signature

.NET source code references suspicious native API functions

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1bad27962e547d124508b0d4cf410099897016d06a60ef51badf5fb67b95771e/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-08-14 00:05:08 UTC

AV detection:

21 of 46 (45.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dowspfrokr6reriiwdkm6qiatgexafwqnjqo6un235p3m64vo4pa._file

Verdict:

malicious

SnakeKeylogger

0efc0d67d9be3cbc40ab4ad49b85d9cc4bb5997211899feb7437e427831015fa

SnakeKeylogger

4e449fdff6df1acbaba9250bb8cb66e4674d49be190c0c9070ca3f5b8ee73435

SnakeKeylogger

522ef9da580292e5ef0de44c4c3522f8f4fea1f4248467ff66a7d638be7a305c

SnakeKeylogger

bbeac700ec88ce4b23f0bb5c996effc1586ef0e7802bc18695ecd3845a2a0022

SnakeKeylogger

fe7933b0f7dde64587b0bbdaa5e4728066c4eb56edab2ee863ad94cf52b0391f

SnakeKeylogger

+ 694 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger keylogger spyware stealer

Link:

https://tria.ge/reports/210814-w916kgvfbs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Malware Config

C2 Extraction:

https://api.telegram.org/bot1740221425:AAEOVM7H7MhKkyXcbjQXPID2QnxGYTTnqCY/sendMessage?chat_id=1482312326

Unpacked files

SH256 hash:

97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf

MD5 hash:

8cd28be4bd9a1404c6d3600db32b3ed1

SHA1 hash:

fb90b0ca51118e771390d58b19d0a404ee14cfbc

Link:

https://www.unpac.me/results/500b2e64-5de2-4202-9d74-9151474fb181/

SH256 hash:

d7f3be1f0f62e2df6e24d230222165b9c06ac39815fb6af59c03b396707727c8

MD5 hash:

8915e53cb8e0c65615e9221269013021

SHA1 hash:

b1e5e11763a2457c1b68e9ffa1b8e191c8f68f85

Link:

https://www.unpac.me/results/500b2e64-5de2-4202-9d74-9151474fb181/

SH256 hash:

896ea83d283736799c12bc4de1096358fff6c3057655e8c5217c6a65d8667e57

MD5 hash:

fca17275391623473d8b23f68b20c8be

SHA1 hash:

5afa176d5a457ba70d6d743adb9ee7c8904cf61c

Link:

https://www.unpac.me/results/500b2e64-5de2-4202-9d74-9151474fb181/

SH256 hash:

1bad27962e547d124508b0d4cf410099897016d06a60ef51badf5fb67b95771e

MD5 hash:

4ff5e0533b3d8e8bd3dcf3de18e02fd8

SHA1 hash:

01b43477d3412a248d23c7c3a832b0e085547ef0

Link:

https://www.unpac.me/results/500b2e64-5de2-4202-9d74-9151474fb181/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1bad27962e547d124508b0d4cf410099897016d06a60ef51badf5fb67b95771e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Telegram_Exfiltration_Via_Api Create hunting rule
Author:	lsepaolo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/179158/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample