MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments 1

SHA256 hash:	40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40
SHA3-384 hash:	1fa464bcbded6f1966fd67c1e97760ed4ebc4d0722a45a114a27f6fd450290632880f5e729d689650c2022e3024e5606
SHA1 hash:	4ea9232d596a9cecc89e50c73a43bf45b99ffa32
MD5 hash:	fbd93ef7f7c0d319e22b59cc56ca9a2a
humanhash:	butter-washington-berlin-utah
File name:	fbd93ef7f7c0d319e22b59cc56ca9a2a
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	940'032 bytes
First seen:	2023-02-08 19:41:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:71bgzPGhgzfYAwMYeJ73JUSf81R1gpHZo:7ZyPyywAwMYe86CRmjo
Threatray	9'306 similar samples on MalwareBazaar
TLSH	T1FB1512256214CA64D46D47BDCCB0EAF113753EB6E960DEC72DC2BECE3A367A14054AC2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	zbetcheckin
Tags:	32 exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

195

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

fbd93ef7f7c0d319e22b59cc56ca9a2a

Verdict:

Malicious activity

Analysis date:

2023-02-08 19:44:41 UTC

Tags:

evasion trojan snake keylogger

Link:

https://app.any.run/tasks/43cfda65-06e2-446f-8cf4-ed60a99e7b56

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/362272/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

packed

Link:

https://www.filescan.io/uploads/63e3fb103e913789a6f99eb0/reports/fbdcb260-5a98-451d-b886-18b98db0a8a2/overview

Verdict:

Malicious

Labled as:

MSIL/Kryptik_AGeneric.AII trojan

Link:

https://www.hybrid-analysis.com/sample/40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a3864e40-806f-45e4-8c6c-77ca39b8f45f

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1169179

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2023-02-08 12:02:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 26 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=idak53gu4ktu4wldehoavvr42ywoty6azqnc2ckyitrax3275raa._file

Verdict:

malicious

SnakeKeylogger

0f467217bcccaa0eb494cb5da8e328cf5d16639ff4dc5d0cf56df96895f19a38

SnakeKeylogger

1092d7ec9366334de4f4a244154a01816d343523764573546eceec51f5e36976

SnakeKeylogger

2f7fa88382210dc974ad20d7dd204655d5321cb220f7507bfbe57577c767d66a

SnakeKeylogger

4bfbab57c386a9e42854bbe2963e016025cdc68946c0915c425ba301662ce78b

SnakeKeylogger

4fc2e821a7e7d72363cbc61a1fb1ed5a4cd1c06c09b3794b1ac24ef2fd73b4fd

SnakeKeylogger

5082b3c06b1c05a23ac3074cc33ecd3a3396b50b4d6259685442d727179747bf

SnakeKeylogger

7b59507d5b9f3c30fc095fabfc7e88ff59977767cc39477ca75f20577a750989

SnakeKeylogger

ddf0772c851138bd086ac7f40fb3737fe3d5293ba7123bdc6639489eb4d5829e

SnakeKeylogger

e417867ac84d86d4b244788731d9c840ff0537640665083d293d077633f0628e

SnakeKeylogger

+ 9'296 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230208-yenv8sed2x/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5814180506:AAFpVfxl9CBszzsUeg8FTylBwiTKUc4g3lA/sendMessage?chat_id=5056270248

Unpacked files

SH256 hash:

8a6efa41d0ec15c4dffa9364fc8617c39383def886ae8e16c8b0f3cf1a5a2124

MD5 hash:

5543adca852a1a7deb90a3dc1d63308d

SHA1 hash:

d84c327bccca0c2089297b229333499b13d7a29b

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/a231112d-42c7-4e05-a6e9-2b73e3fc4b20/

Parent samples :

59903dbe12d0e5cd2961b4ff5bd3301d7467fdb4c95ef23036bf0b1e7c42f8be
86bbdfb30d760c948d6493941fc293ac073da4e622e3385575621a5823159b64
0e803cb90548d53886ab681f62ac7bcd45f9e33c3d2d9f6afce921a680916c67
16c70890f10e57d8fc644114f168b302a49bca04865b7af24f8e10f81d0e0e1e
412345db793d224f02d6529cde113d57fbc0673cfb1be4a40cc75342d6607cae
53ea6b76054fdccbe2b129aa71ffadfd5a24bc8dcea34b05e5a7aadf39966a41
916677af442bb08e425f3e31f614e2afca12ca7d2ab51976b409bd97013b0714
e3ff193a4d796ef753bc68ac96f45f6acdc728bf43080c6c2d2e0e32c99366ac
b3becceee731f92a558739ae11d931f571ab038a09b09661f0519eb5256e6303
56f63b02b2937f3a3cddae702465c1fb1f8f926a09a7ec6fe00a43ce447cb24b
b6ba9b1f0724dee6813ee67780cc5a130e5565d616b6acf53a7ef417ab580dfc
2c0040dfc6eef6371e00934559c481012e35a651d9d1e816f103b98a7af05749
c0abc071c31039697cb8f13d2769118e4068e78ad5d40fcc900462f709ab62ac
cc446f15fd527dd3d3dec1013dca6e1083d81c7499a0288a0ac71ad6832b4cd3
40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40
2cee131ab571c6866a10be794fb02583f30c577d93ee9742845331294923c1e7

SH256 hash:

0e537fc81b69ff1bfc965e761c025e2af39fafb89cdf02e5c3f83b96ebaef0d1

MD5 hash:

5b5201ca2ae1c43901d61853061b5e4a

SHA1 hash:

bcf618f08078fa7274a52d03fdc198ca03d5b18f

Link:

https://www.unpac.me/results/a231112d-42c7-4e05-a6e9-2b73e3fc4b20/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/a231112d-42c7-4e05-a6e9-2b73e3fc4b20/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

46cb32256dba295b72212185d3bf29e54de9f78fe32a8e43c82288285c3bf721

MD5 hash:

453d8d23d417dacecac4ad0235d2b420

SHA1 hash:

6aaffef79f32f151aef9d5c548ac9055ea6c2f35

Link:

https://www.unpac.me/results/a231112d-42c7-4e05-a6e9-2b73e3fc4b20/

SH256 hash:

f0a75674c5f274cb6da7eac4f23ec48946e32179db4ef9f19efb2ce3bc363e1c

MD5 hash:

90a626086cf65e394930b8e9be83fc30

SHA1 hash:

503f80eac0071ae19a20684749ec7ad946ae361e

Link:

https://www.unpac.me/results/a231112d-42c7-4e05-a6e9-2b73e3fc4b20/

SH256 hash:

40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40

MD5 hash:

fbd93ef7f7c0d319e22b59cc56ca9a2a

SHA1 hash:

4ea9232d596a9cecc89e50c73a43bf45b99ffa32

Link:

https://www.unpac.me/results/a231112d-42c7-4e05-a6e9-2b73e3fc4b20/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/40c0aeecd4e2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.87

Link:

https://yomi.yoroi.company/submissions/40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SnakeKeylogger

exe 40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2534416/

Cape

https://www.capesandbox.com/analysis/362272/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-02-08 19:41:40 UTC

url : hxxp://38.153.157.57/214/vbc.exe