MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4545f4eb2f04f075efdee44e3c2f98e31b5d3c25a258614cc6c85f8ea9cfd1e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SnakeKeylogger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4545f4eb2f04f075efdee44e3c2f98e31b5d3c25a258614cc6c85f8ea9cfd1e4
SHA3-384 hash: 8b522098a443b7449034951b2314baaabdbbb84a3fe5715e482ea9e367b26537c690f1ed750ac55b97fa53d7a2ad6f10
SHA1 hash: fcaaf12e83b95afb52f751be5ab95ddad5039eb6
MD5 hash: 5f2cff870f3ad30f418a46011c75d010
humanhash: pluto-whiskey-mexico-mirror
File name:AWB_131-39889640.exe
Download: download sample
Signature SnakeKeylogger
Create hunting rule
File size:374'272 bytes
First seen:2022-10-18 19:17:35 UTC
Last seen:2022-10-19 07:17:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:XwXl4Cfc3/cnEriDqh3PJ6Djh3MdkE2M4zgF6qLWPMpx1IJDQzj/wBlBgaceIjv7:Xifw/cnTY3Pi5CZ4grKP+DI2onBga8v7
Threatray 497 similar samples on MalwareBazaar
TLSH T15E84E148023B56B1FF6FE23484AD83009EEAD069576D2F33AF06B8BCC97795B91E4145
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter GovCERT_CH
Tags:exe SnakeKeylogger

Intelligence

File Origin
# of uploads :
4
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321486/
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.14603.25003.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Launching a process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634efbea8a8cb5d2d4a9e263/reports/f4060872-b587-44f7-b2d8-8046e88e71b7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/aa0571f9-19db-4340-9064-873b4a1affcb
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1093001
Signature
.NET source code references suspicious native API functions
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 725623 Sample: AWB_131-39889640.exe Startdate: 18/10/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 5 other signatures 2->40 6 AWB_131-39889640.exe 5 1 2->6         started        10 AWB_131-39889640.exe 2 2 2->10         started        12 AWB_131-39889640.exe 1 2->12         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 6->26 dropped 42 Creates autostart registry keys with suspicious names 6->42 44 Writes to foreign memory regions 6->44 46 Sample is not signed and drops a device driver 6->46 48 Injects a PE file into a foreign processes 6->48 14 CasPol.exe 15 4 6->14         started        28 C:\Users\user\...\AWB_131-39889640.exe.log, CSV 10->28 dropped 18 fodhelper.exe 12 10->18         started        20 fodhelper.exe 10->20         started        22 fodhelper.exe 12 12->22         started        24 fodhelper.exe 12->24         started        signatures5 process6 dnsIp7 30 checkip.dyndns.com 193.122.130.0, 49720, 80 ORACLE-BMC-31898US United States 14->30 32 checkip.dyndns.org 14->32 50 May check the online IP address of the machine 14->50 52 Tries to steal Mail credentials (via file / registry access) 14->52 54 Tries to harvest and steal ftp login credentials 14->54 56 Tries to harvest and steal browser information (history, passwords, etc) 14->56 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4545f4eb2f04f075efdee44e3c2f98e31b5d3c25a258614cc6c85f8ea9cfd1e4/
Threat name:
ByteCode-MSIL.Trojan.SnakeKeylogger
Create hunting rule
Status:
Malicious
First seen:
2022-10-18 19:35:43 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivc7j2zpatyhl3664rhdyl4y4mnv2pbfujmgctggzbpy5kop2hsa._file
Verdict:
unknown
Similar samples:
3a64393091b5986993f20990f8709a8e0e06375d692b5721c216eda9782c6f5d
SnakeKeylogger
5c50b7e005524ede0a2c636b92a0933bc631c783bb8201e98dbdc52c390cd566
SnakeKeylogger
5d556482f05115b750d21eeb299149a66fde162574680a37653464b985635cdd
SnakeKeylogger
6b7204b9938cdc7e24b589faac4e12ed848c7121269899614b38bc95784845b9
SnakeKeylogger
7497edc571612474fa977fb41380c3a95b2912b2cda52898dc0a404f067c9ee3
SnakeKeylogger
ae704a7a716d4496ce1f47ca054a79f60e9cb4d8cdb898d5fcf06a172006b833
SnakeKeylogger
cb05606b742226130a4e421b47b04bee21b4da79bb883c15a3c6a9002d8dfa7d
SnakeKeylogger
dbbbd0005d11a416cff52556e90001bac5549697937d69b906a51220e44c6e6e
SnakeKeylogger
+ 487 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence stealer
Link:
https://tria.ge/reports/221018-xzxs7sdfel/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Sets service image path in registry
Snake Keylogger
Snake Keylogger payload
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/27296237-883b-4da4-b528-d8e9bcef914e
Unpacked files
SH256 hash:
4545f4eb2f04f075efdee44e3c2f98e31b5d3c25a258614cc6c85f8ea9cfd1e4
MD5 hash:
5f2cff870f3ad30f418a46011c75d010
SHA1 hash:
fcaaf12e83b95afb52f751be5ab95ddad5039eb6
Link:
https://www.unpac.me/results/15b16050-40c8-49a9-952d-3e39013046b1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4545f4eb2f04f075efdee44e3c2f98e31b5d3c25a258614cc6c85f8ea9cfd1e4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SnakeKeylogger

iso 6071b387b4dda9da63d4d4e8d6c43c1b156403902c56a77c78389b0f5597f65d

SnakeKeylogger

Executable exe 4545f4eb2f04f075efdee44e3c2f98e31b5d3c25a258614cc6c85f8ea9cfd1e4

(this sample)

  
Dropped by
snakekeylogger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/321486/
  
Dropped by
SHA256 6071b387b4dda9da63d4d4e8d6c43c1b156403902c56a77c78389b0f5597f65d
  
Dropped by
MD5 250efea88a677942b777f636e8fe6a37

Comments