MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 311d2cf600759ff7a5307ba839c48b2fd6c138154deeebad7825f797a019156f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 311d2cf600759ff7a5307ba839c48b2fd6c138154deeebad7825f797a019156f
SHA3-384 hash: a5d2dd9cba1742d65cf3ee7ade247dc4f71bcb414864380fa35c1c5a3960fade86784903d1428a63ac861c2ec5830586
SHA1 hash: b5846f9231505001c17e3554d5cf12bd48efb8af
MD5 hash: 70e3640637eb49e2a166ac62d8ab3cfe
humanhash: venus-carbon-three-zebra
File name:70e3640637eb49e2a166ac62d8ab3cfe.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:658'484 bytes
First seen:2022-04-16 06:03:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (730 x GuLoader, 452 x Formbook, 295 x Loki)
ssdeep 12288:ONp4Wi//peiRnYqNa7rOG0pLmOsgVMzVuLo:ON7i/R/nY+qv4mOCzY8
Threatray 3'364 similar samples on MalwareBazaar
TLSH T16CE4E0A0F3C190C7C8795AB694979770266BDD75D8E40A83219C3A9E4D733878C398EF
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 70ccce9697c5e464 (2 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
70e3640637eb49e2a166ac62d8ab3cfe.exe
Verdict:
Malicious activity
Analysis date:
2022-04-16 06:04:54 UTC
Tags:
evasion trojan
Link:
https://app.any.run/tasks/37231c95-a8f3-4e5e-ac1a-32915a4711de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/264067/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a browser
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/14014/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed python shell32.dll virus
Link:
https://www.filescan.io/uploads/625a5c53482f2f41caba4d35/reports/ce55d2de-0c32-4aab-be7b-f145e57e774f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Snake Keylogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9f8c8911-01e4-4cf2-ab1b-6f33a5a6062b
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977611
Signature
.NET source code references suspicious native API functions
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/311d2cf600759ff7a5307ba839c48b2fd6c138154deeebad7825f797a019156f/
Threat name:
Win32.Trojan.DelfInject
Create hunting rule
Status:
Malicious
First seen:
2022-04-08 00:30:02 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
29 of 42 (69.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=geosz5qaowp7pjjqpoudtrelf7lmcoavjxxoxllyex3zpiazcvxq._file
Verdict:
malicious
Similar samples:
0a67ff35add751a754db8f7d55515b0dbac034b87274cfd1cc351f7679a98b2f
SnakeKeylogger
139dc34c95ff5a6c6b321d52639ab41782862a9a2df9aac1ac76c24f61c6cae6
SnakeKeylogger
182ca12a043adab6e5830707aa35f1e27bccec6e713695a188c29dc3e234816e
SnakeKeylogger
a86780fe8b045b77b87fd9b23ca5407d12236a1b3ecbad676860f518d62548e7
SnakeKeylogger
d9c3080d262ce878565455b1d34ab1ed0c45e470cb6651de7e168150807c7d1c
SnakeKeylogger
e2f51241300d7e6249e13dd4c3dc9fc544f99bc6ad56a0c9dbce6e322142e2a1
SnakeKeylogger
+ 3'354 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger keylogger persistence stealer
Link:
https://tria.ge/reports/220416-gsk8tsdagp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Unpacked files
SH256 hash:
5d94461f04fd97ba6611eea69ae143c0a19128991d2d27c1719a5b7031fe96fe
MD5 hash:
f2baf9dac070fa016b4b39988c63740f
SHA1 hash:
b42c4186590bcb69a3e2b9f05f2c79d7a1b10f43
Link:
https://www.unpac.me/results/db3f4818-e934-4101-bac2-01df332bf240/
SH256 hash:
5964bd9beb28cb3787428bcb0ef5be49a49c346fcd449dc0a37b3b168727d8dd
MD5 hash:
fe268b4fc187fdfae185f2120f024d41
SHA1 hash:
a7cde53e4a265d7c1580dfdf487b37b2610cef58
Link:
https://www.unpac.me/results/db3f4818-e934-4101-bac2-01df332bf240/
SH256 hash:
5bdb27e9b1ce24e2bfe3e501c62df8f82e7c4b2ea93d7d8a0f5a1548e6bb9825
MD5 hash:
8619acda8b62ab6926c4baaf163b8c8c
SHA1 hash:
59f2fa022efb606cc0fd2c32312926434254d0be
Link:
https://www.unpac.me/results/db3f4818-e934-4101-bac2-01df332bf240/
SH256 hash:
311d2cf600759ff7a5307ba839c48b2fd6c138154deeebad7825f797a019156f
MD5 hash:
70e3640637eb49e2a166ac62d8ab3cfe
SHA1 hash:
b5846f9231505001c17e3554d5cf12bd48efb8af
Link:
https://www.unpac.me/results/db3f4818-e934-4101-bac2-01df332bf240/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/311d2cf600759ff7a5307ba839c48b2fd6c138154deeebad7825f797a019156f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DotNetProcHook
Create hunting rule
Author:ditekSHen
Description:Detects executables with potential process hoocking
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264067/

Comments