MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 285279bec716ca903235cb35cefed0d292a9be4be95c6df5c9529cba61812935. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 12

Intelligence 12 IOCs YARA 13 File information Comments

SHA256 hash:	285279bec716ca903235cb35cefed0d292a9be4be95c6df5c9529cba61812935
SHA3-384 hash:	68c7c8577b44dfa8f46591eae8c5524b4dc9d0061644e98d22fc85574427f9a374b7d7638145df9050f22b9db8865785
SHA1 hash:	6083b44fcd6d73fdcc31974c47b6be036218e071
MD5 hash:	48f2533619e5ff0def89a0802f2a374b
humanhash:	early-snake-twenty-failed
File name:	48f2533619e5ff0def89a0802f2a374b.exe
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	864'256 bytes
First seen:	2022-06-22 06:42:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:pRZx4bdO+Jt/ZLUQ53fPZpB4CvHnrT3AdX:pRUjJt/RjZvHP3W
Threatray	1'563 similar samples on MalwareBazaar
TLSH	T112056D5517842DC2EC724B3A96F31B62B6328B74147F834B2A1967BE493FBCC2E72154
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	8898a2ac1c9486be (8 x AsyncRAT, 2 x SnakeKeylogger)
Reporter	abuse_ch
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

210

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/282194/

Detection(s):

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a custom TCP request

Creating a file in the %AppData% subdirectories

Unauthorized injection to a recently created process

Creating a file

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a window

Enabling autorun by creating a file

Forced shutdown of a browser

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62b2ba41666084d7254703b7/reports/7cd3f626-f690-42fd-92ba-1d5f8770c6dd/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dcf27930-beb7-44d8-8381-91ba3a034b4c

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1017671

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Creates an undocumented autostart registry key

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/285279bec716ca903235cb35cefed0d292a9be4be95c6df5c9529cba61812935/

Threat name:

ByteCode-MSIL.Downloader.Seraph

Status:

Malicious

First seen:

2022-06-22 00:56:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fbjhtpwhc3fjamrvzm2457wq2kjktpsl5fog35ojkkoluymbfe2q._file

Verdict:

malicious

SnakeKeylogger

16e6086897059d30ddde828b6c5e435c045a281b3f3065e348b080377f55c33d

SnakeKeylogger

375e3b9aca92cb15f9e872d6d8495b40bef87ebce8fb10a67d7e6e816da3c40f

SnakeKeylogger

61a5a7c75af64b616ee9db1f6baa01a4e2d85c94b5cf2714d9919c70e32df9e4

SnakeKeylogger

61a66aec932ed8603de248a94140db83b1e167fd54b6481b781c769286a5371d

SnakeKeylogger

7b59a4629a4ba14300e292a33edb15dc42c209137ffa863ae4e78458a60f2258

SnakeKeylogger

924f61ba19c7ee9f31bb66a3ca14aa9bc573e193043720cbb368b6e2fa5be2c7

SnakeKeylogger

ac2f476e62ca13d4e3993027da7e7815d319b638c1aed5f0dc4f8e864b99609a

SnakeKeylogger

ae240fef9bc0a045767eccd95b0de70a279917717b5c2b34143cc22a51265b59

SnakeKeylogger

b6fbfbf74cf01bbf86409c59195a9ddf3337dd438d11bf11b4d81a33d2dfad2b

SnakeKeylogger

+ 1'553 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/220622-hjcqrshdhp/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger Payload

Unpacked files

SH256 hash:

9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026

MD5 hash:

9fbb8cec55b2115c00c0ba386c37ce62

SHA1 hash:

e2378a1c22c35e40fd1c3e19066de4e33b50f24a

Link:

https://www.unpac.me/results/2920eeae-132d-423f-9065-f084f84d1702/

SH256 hash:

a29e7c8ebec2199ed5094dcbd18c2e39e6b8ebd26fc788ded43b31843f46d342

MD5 hash:

7f8524464a48c582ef2048d3ed46e924

SHA1 hash:

59d86afbe99f3e5beb1c0b74d7e3c246de4b8ddd

Link:

https://www.unpac.me/results/2920eeae-132d-423f-9065-f084f84d1702/

SH256 hash:

b7a23beb4fe12df3c2caa2f574ad0b37f2a20fbf3911bb457c5734e585a6711c

MD5 hash:

ebc1de0eed5642a021c5d0e403f962ca

SHA1 hash:

32a1aedca342c68c5140e848d00ffa396bf233c6

Link:

https://www.unpac.me/results/2920eeae-132d-423f-9065-f084f84d1702/

SH256 hash:

285279bec716ca903235cb35cefed0d292a9be4be95c6df5c9529cba61812935

MD5 hash:

48f2533619e5ff0def89a0802f2a374b

SHA1 hash:

6083b44fcd6d73fdcc31974c47b6be036218e071

Link:

https://www.unpac.me/results/2920eeae-132d-423f-9065-f084f84d1702/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/285279bec716/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/285279bec716ca903235cb35cefed0d292a9be4be95c6df5c9529cba61812935

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook Create hunting rule
Author:	ditekSHen
Description:	Detects executables with potential process hoocking

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_SnakeKeylogger Create hunting rule
Author:	ditekSHen
Description:	Detects Snake Keylogger

Rule name:	MAL_Envrial_Jan18_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Envrial_Jan18_1_RID2D8C Create hunting rule
Author:	Florian Roth
Description:	Detects Encrial credential stealer malware
Reference:	https://twitter.com/malwrhunterteam/status/953313514629853184

Rule name:	MAL_Lokibot_Stealer Create hunting rule
Description:	Detects Lokibot Stealer Variants

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research