MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 279e5377adb28951afa282d008b2612c2c88b2355f94e66ca5a9844c8f534329. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 13


Intelligence 13 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 279e5377adb28951afa282d008b2612c2c88b2355f94e66ca5a9844c8f534329
SHA3-384 hash: b3dca3663eae239f5a5423a9956cacb6a03764e43c40b7da6c4f7383e60ae5fa5b44d1f1919395253d0b5939a348998e
SHA1 hash: 0745467056eb545b19b679c6f90956be39fb02c1
MD5 hash: d50bd7120937401fb9347aa041cf9464
humanhash: harry-oscar-illinois-king
File name:SX0987654567PPOIUY.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:730'818 bytes
First seen:2023-01-20 19:24:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (21 x SnakeKeylogger, 13 x MassLogger, 11 x CryptOne)
ssdeep 12288:GENN+T5xYrllrU7QY6JYNLScYdqSvlaFY0l+pIiD0etI:K5xolYQY6JYZHSvAFY2IeUI
TLSH T16FF49F6ABA10919FE8E356F06C17E13675617D281BD2AC0F23D27B0A74B215374BA31F
TrID 58.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
22.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10523/12/4)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 71ccc4ccccc4f8d8 (1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SX0987654567PPOIUY.exe
Verdict:
Malicious activity
Analysis date:
2023-01-20 19:33:23 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/93c6f33f-9ea7-4311-9b2d-b214e6e0f36b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer greyware keylogger neshta overlay packed shell32.dll siggen6 swisyn virus
Link:
https://www.filescan.io/uploads/63caea9289bd67c10fd8e053/reports/6b174a9a-c78a-443a-97e8-a34c5946a35f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4af19da4-a9e4-4320-9c64-8c2fb43b5c56
Result
Threat name:
CryptOne, Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1155767
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture screen (.Net source)
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Detected CryptOne packer
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 788501 Sample: SX0987654567PPOIUY.exe Startdate: 20/01/2023 Architecture: WINDOWS Score: 100 99 Malicious sample detected (through community Yara rule) 2->99 101 Antivirus detection for dropped file 2->101 103 Antivirus / Scanner detection for submitted sample 2->103 105 10 other signatures 2->105 11 SX0987654567PPOIUY.exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        19 3 other processes 2->19 process3 file4 75 C:\Users\user\...\sx0987654567ppoiuy.exe, PE32 11->75 dropped 77 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 11->77 dropped 129 Installs a global keyboard hook 11->129 21 icsys.icn.exe 3 11->21         started        25 sx0987654567ppoiuy.exe 19 11->25         started        signatures5 process6 file7 71 C:\Windows\System\explorer.exe, PE32 21->71 dropped 121 Antivirus detection for dropped file 21->121 123 Machine Learning detection for dropped file 21->123 125 Drops executables to the windows directory (C:\Windows) and starts them 21->125 127 2 other signatures 21->127 27 explorer.exe 3 25 21->27         started        73 C:\Users\user\AppData\Local\...\wfzxfunpj.exe, PE32 25->73 dropped 32 wfzxfunpj.exe 1 25->32         started        signatures8 process9 dnsIp10 89 vccmd01.zxq.net 51.81.194.202, 443, 49715, 49716 OVHFR United States 27->89 91 zxq.net 27->91 93 5 other IPs or domains 27->93 79 C:\Windows\System\spoolsv.exe, PE32 27->79 dropped 81 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 27->81 dropped 131 Antivirus detection for dropped file 27->131 133 System process connects to network (likely due to code injection or exploit) 27->133 135 Creates an undocumented autostart registry key 27->135 143 3 other signatures 27->143 34 spoolsv.exe 2 27->34         started        137 Multi AV Scanner detection for dropped file 32->137 139 Detected unpacking (changes PE section rights) 32->139 141 Detected unpacking (overwrites its own PE header) 32->141 145 3 other signatures 32->145 38 wfzxfunpj.exe 15 2 32->38         started        41 conhost.exe 32->41         started        file11 signatures12 process13 dnsIp14 69 C:\Windows\System\svchost.exe, PE32 34->69 dropped 107 Antivirus detection for dropped file 34->107 109 Machine Learning detection for dropped file 34->109 111 Drops executables to the windows directory (C:\Windows) and starts them 34->111 119 2 other signatures 34->119 43 svchost.exe 3 3 34->43         started        85 checkip.dyndns.org 38->85 87 checkip.dyndns.com 193.122.130.0, 49719, 80 ORACLE-BMC-31898US United States 38->87 113 Tries to steal Mail credentials (via file / registry access) 38->113 115 Tries to harvest and steal ftp login credentials 38->115 117 Tries to harvest and steal browser information (history, passwords, etc) 38->117 file15 signatures16 process17 dnsIp18 95 192.168.2.1 unknown unknown 43->95 83 C:\Users\user\AppData\Local\stsys.exe, PE32 43->83 dropped 147 Antivirus detection for dropped file 43->147 149 Detected CryptOne packer 43->149 151 Machine Learning detection for dropped file 43->151 153 3 other signatures 43->153 48 spoolsv.exe 43->48         started        51 at.exe 43->51         started        53 at.exe 43->53         started        55 24 other processes 43->55 file19 signatures20 process21 signatures22 97 Installs a global keyboard hook 48->97 57 conhost.exe 51->57         started        59 conhost.exe 53->59         started        61 conhost.exe 55->61         started        63 conhost.exe 55->63         started        65 conhost.exe 55->65         started        67 21 other processes 55->67 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/279e5377adb28951afa282d008b2612c2c88b2355f94e66ca5a9844c8f534329/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 09:44:29 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6pfg55nwkevdl5cqliarmtbfqwirmrvl6kom3ffvgcezd2timuq._file
Verdict:
malicious
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection evasion keylogger persistence spyware stealer
Link:
https://tria.ge/reports/230120-x4yajabd3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Installed Components in the registry
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Snake Keylogger
Snake Keylogger payload
Unpacked files
SH256 hash:
5234cff095557841c8b452ee6e336692665fd7b5d83f0774989a46a5664aeec0
MD5 hash:
7eb32ef8c0e109dcc48dc4475927bb67
SHA1 hash:
6fc7691c45e8958540e428766cefbeea8e9075e4
Link:
https://www.unpac.me/results/14262591-21c1-44ba-93e5-b11f54f43ffe/
SH256 hash:
1bcbf767e48ae3329e48fd7ff6751866c4ebb1d8574fd06a8f1a4d26f52a15c2
MD5 hash:
f27ae3db6c000a259201b7f79e214eae
SHA1 hash:
9629cc96c420aae441b26b55ccf053cf75e1a122
Link:
https://www.unpac.me/results/14262591-21c1-44ba-93e5-b11f54f43ffe/
SH256 hash:
279e5377adb28951afa282d008b2612c2c88b2355f94e66ca5a9844c8f534329
MD5 hash:
d50bd7120937401fb9347aa041cf9464
SHA1 hash:
0745467056eb545b19b679c6f90956be39fb02c1
Link:
https://www.unpac.me/results/14262591-21c1-44ba-93e5-b11f54f43ffe/
Malware family:
SnakeKeylogger
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/279e5377adb2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/279e5377adb28951afa282d008b2612c2c88b2355f94e66ca5a9844c8f534329

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Envrial_Jan18_1
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:MAL_Envrial_Jan18_1_RID2D8C
Create hunting rule
Author:Florian Roth
Description:Detects Encrial credential stealer malware
Reference:https://twitter.com/malwrhunterteam/status/953313514629853184
Rule name:masslogger_gcch
Create hunting rule
Author:govcert_ch
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_SnakeKeylogger_af3faa65
Create hunting rule
Author:Elastic Security
Rule name:win_masslogger_w0
Create hunting rule
Author:govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

Executable exe 279e5377adb28951afa282d008b2612c2c88b2355f94e66ca5a9844c8f534329

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/355064/

Comments