MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 412345db793d224f02d6529cde113d57fbc0673cfb1be4a40cc75342d6607cae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SnakeKeylogger

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	412345db793d224f02d6529cde113d57fbc0673cfb1be4a40cc75342d6607cae
SHA3-384 hash:	de1bb58d81e16297a35039c268be19d37af2ea20f377a67f29dc94f1776e1086a470fdbaedbbf156674941993610cdf6
SHA1 hash:	b75940d361f2656cdd2c738af26d30d00c045f42
MD5 hash:	a3ce576f8970086a849d6ebec2a680f4
humanhash:	stream-salami-saturn-sad
File name:	SecuriteInfo.com.Trojan.Olock.1.30824.11352
Download:	download sample
Signature	SnakeKeylogger Create hunting rule
File size:	713'216 bytes
First seen:	2023-01-10 07:43:32 UTC
Last seen:	2023-01-10 08:34:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:u8CIOkW4XWqWYEUJNp4azn4N2JEvn9HBrw4qE4iVV/r7VWC/8gfzGY3O:AIOkW3YEUJNpfY2OFBdqEZV/NWC0gfzY
Threatray	8'112 similar samples on MalwareBazaar
TLSH	T1C7E4F22926F5A90EFD7E62BB5210DB9403B1A620C749D59D0DE736CECBF8B2D5207213
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	00c0c8c1e6789842 (4 x AgentTesla, 3 x RemcosRAT, 1 x SnakeKeylogger)
Reporter	SecuriteInfoCom
Tags:	exe SnakeKeylogger

Intelligence

File Origin

# of uploads :

# of downloads :

176

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.Olock.1.30824.11352

Verdict:

Malicious activity

Analysis date:

2023-01-10 07:43:53 UTC

Tags:

evasion trojan

Link:

https://app.any.run/tasks/6136cdd7-0efb-4f99-94e3-76a93b2f71d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Snake

Link:

https://www.capesandbox.com/analysis/351415/

Detection(s):

SecuriteInfo.com.Trojan.Olock.1.30824.11352.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a process from a recently created file

Creating a file in the %temp% directory

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63bd17440fdf1633326e1c64/reports/4136d48e-e5ac-40af-9159-b95948ca9254/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Snake Keylogger

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/06cb015c-e78b-414a-b5c3-3936333ccd01

Result

Threat name:

Snake Keylogger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1148535

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Snake Keylogger

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/412345db793d224f02d6529cde113d57fbc0673cfb1be4a40cc75342d6607cae/

Threat name:

ByteCode-MSIL.Trojan.RealProtect

Status:

Malicious

First seen:

2023-01-10 07:44:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ierulw3zhure6awwkkon4ej5k754azz47mn6jjamy5jufvtapsxa._file

Verdict:

malicious

SnakeKeylogger

5ea5baa76e56e7f96fc470ff3b0a6d9b3ba0d0460b2228ab334e0048de21fe90

SnakeKeylogger

6b985b8239b575b46b57f36daaa55e30efabf08e39f2a421e12f0e6b82cb5cc4

SnakeKeylogger

86bbdfb30d760c948d6493941fc293ac073da4e622e3385575621a5823159b64

SnakeKeylogger

8fc56654c730505dd97bbe04e8c9f688b7b9366eb1981e848fe3c829a553f40d

SnakeKeylogger

a5c5fff9f5fb5557c0be28962dd29a09b3691eeab05cb2970718d877b2559b97

SnakeKeylogger

b14307b09dd1fd88ade7af00722570d4a4a998881c95952d8c2e18a34a1eb0f9

SnakeKeylogger

b1a095ae8f5562162a591f8871ba8aecc46d43e875a19f2cd56d7b9c03b56cb2

SnakeKeylogger

bbeb2bc4ebccbf94ad87dd8f650d4b9e2b9dc65b0fe9e785a44a4f8e464b575e

SnakeKeylogger

f5b86bcb2e58400f938e94c71a1b1e7b06d6e9bc1749fc1e6f999110e4fc9143

SnakeKeylogger

+ 8'102 additional samples on MalwareBazaar

Result

Malware family:

snakekeylogger

Score:

10/10

Tags:

family:snakekeylogger collection keylogger spyware stealer

Link:

https://tria.ge/reports/230110-jktlcafc95/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Snake Keylogger

Snake Keylogger payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5814180506:AAFpVfxl9CBszzsUeg8FTylBwiTKUc4g3lA/sendMessage?chat_id=5056270248

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/39fb74bf-3194-4115-9c83-4fdad38a987b

Unpacked files

SH256 hash:

8a6efa41d0ec15c4dffa9364fc8617c39383def886ae8e16c8b0f3cf1a5a2124

MD5 hash:

5543adca852a1a7deb90a3dc1d63308d

SHA1 hash:

d84c327bccca0c2089297b229333499b13d7a29b

Detections:

snake_keylogger

Link:

https://www.unpac.me/results/a557b892-a510-44fb-9489-fdbfe4c0c925/

Parent samples :

59903dbe12d0e5cd2961b4ff5bd3301d7467fdb4c95ef23036bf0b1e7c42f8be
86bbdfb30d760c948d6493941fc293ac073da4e622e3385575621a5823159b64
0e803cb90548d53886ab681f62ac7bcd45f9e33c3d2d9f6afce921a680916c67
16c70890f10e57d8fc644114f168b302a49bca04865b7af24f8e10f81d0e0e1e
412345db793d224f02d6529cde113d57fbc0673cfb1be4a40cc75342d6607cae
53ea6b76054fdccbe2b129aa71ffadfd5a24bc8dcea34b05e5a7aadf39966a41
916677af442bb08e425f3e31f614e2afca12ca7d2ab51976b409bd97013b0714
e3ff193a4d796ef753bc68ac96f45f6acdc728bf43080c6c2d2e0e32c99366ac
b3becceee731f92a558739ae11d931f571ab038a09b09661f0519eb5256e6303
56f63b02b2937f3a3cddae702465c1fb1f8f926a09a7ec6fe00a43ce447cb24b
b6ba9b1f0724dee6813ee67780cc5a130e5565d616b6acf53a7ef417ab580dfc
2c0040dfc6eef6371e00934559c481012e35a651d9d1e816f103b98a7af05749
c0abc071c31039697cb8f13d2769118e4068e78ad5d40fcc900462f709ab62ac
cc446f15fd527dd3d3dec1013dca6e1083d81c7499a0288a0ac71ad6832b4cd3
40c0aeecd4e2a74e596321dc0ad63cd62ce9e3c0cc1a2d095844e20bef5fec40
2cee131ab571c6866a10be794fb02583f30c577d93ee9742845331294923c1e7

SH256 hash:

fed63fd03e8ba7afe35885bbc805f3ac4633a99945afa11819a9fb8406ea53b3

MD5 hash:

5e785c6ad416339553a90b3bdb104dd4

SHA1 hash:

cf47fe436a16dbede39fd8e0062c8c4b6f00a553

Link:

https://www.unpac.me/results/a557b892-a510-44fb-9489-fdbfe4c0c925/

SH256 hash:

cf59af1af66ed62604b0fde47db28ed43aa311cbe4c4faac5572634d60e830b4

MD5 hash:

48764fe9a8dbcfa8fe9a7711c8cb9760

SHA1 hash:

c41e75ef43d24b703a67cb9d1a5fa223e548a872

Link:

https://www.unpac.me/results/a557b892-a510-44fb-9489-fdbfe4c0c925/

SH256 hash:

c47e2d12442ecc8e285ac50096896d2f5c5e7eb0d6be54c211011e8c440e2c83

MD5 hash:

134c8597c51c3ceb44400bc003c60fa2

SHA1 hash:

7ca835dd55c7a84175c03c86d2892719e3d05092

Link:

https://www.unpac.me/results/a557b892-a510-44fb-9489-fdbfe4c0c925/

SH256 hash:

ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747

MD5 hash:

89ac57478044c57c7195943116a521e0

SHA1 hash:

1ff2bafeed795423e3538d810bda8e1e3fcdcfa5

Link:

https://www.unpac.me/results/a557b892-a510-44fb-9489-fdbfe4c0c925/

SH256 hash:

412345db793d224f02d6529cde113d57fbc0673cfb1be4a40cc75342d6607cae

MD5 hash:

a3ce576f8970086a849d6ebec2a680f4

SHA1 hash:

b75940d361f2656cdd2c738af26d30d00c045f42

Link:

https://www.unpac.me/results/a557b892-a510-44fb-9489-fdbfe4c0c925/

Malware family:

SnakeKeylogger

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/412345db793d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/412345db793d224f02d6529cde113d57fbc0673cfb1be4a40cc75342d6607cae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/351415/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample